How to redirect HTTP to HTTPS in MVC application (IIS7.5)

Question

I need to redirect my HTTP site to HTTPS, have added below rule but I am getting 403 Error when tried using http://www.example.com, it works fine when I type https://www.exa

Answer 1

Use this code in web.config file for redirect http:// to https://

 <configuration>
 <system.webServer>
 <rewrite>
 <rules>
 <rule name="HTTPS force" enabled="true" stopProcessing="true">
 <match url="(.*)" />
 <conditions>
 <add input="{HTTPS}" pattern="^OFF$" />
 </conditions>
 <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
 </rule>
 </rules>
 </rewrite>
 </system.webServer>
</configuration>

Answer 2

This answer is not exactly for OP but for those who could not make it work like me and have come across this (and although I know there is 403 not 404 error in OP), please refer to this answer if you are getting 404 instead: https://stackoverflow.com/a/6962829/5416602

Please check that you have binding for HTTP port (80) and not only HTTPS port (443) in your IIS

Answer 3

I use the following in Global.asax:

protected void Application_BeginRequest()
{
  if (FormsAuthentication.RequireSSL && !Request.IsSecureConnection)
  {
    Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"));
  }
}

Answer 4

To force https only when the website is lunched on the server and ignore it while running the website on your machine for development :

In Global.asax :

You'll need the Application_BeginRequest() method

public class MvcApplication : System.Web.HttpApplication
{
    protected void Application_Start()
    {
         // .....
    }

    //force https on server, ignore it on local machine
    protected void Application_BeginRequest()
    {
        if (!Context.Request.IsSecureConnection && !Context.Request.Url.ToString().Contains("localhost"))
            Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
    }
}

Answer 5

It's very simple. Just add one line in "Global.asax" file as below:

protected void Application_Start()
{
    GlobalFilters.Filters.Add(new RequireHttpsAttribute(true));
}

If you would like to apply only server-side, not local side then apply following code:

protected void Application_Start()
{
   if (!HttpContext.Current.Request.IsLocal)
         GlobalFilters.Filters.Add(new RequireHttpsAttribute(true));
}

Hope it will help you :) Thank you!

Answer 6

You could use the RequireHttpsAttribute for simple cases.

[RequireHttps]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

As stated in MSDN...

"Represents an attribute that forces an unsecured HTTP request to be re-sent over HTTPS."

RequireHttpsAttribute

I'm not sure you'd want to use this to enforce HTTPS across a large site though. Lots of decorating to do, and opportunity to miss controllers.