Reputation: 5952
Already using rewrite module to redirect to ssl - overkill to also do in asp.net?
I'm using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
Upvotes: 0
Views: 188
Answers (1)
Reputation: 465
If you want to force SSL the best way to do it is using only the port 443. If you only need SSL in some pages of your website my recommendation is to move these files into a special web application or virtual directory. Doing this you can force the SSL connection for these files without worrying about rewrite rules. You can check how to do it here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Allowing HTTP and HTTPS connections to the same resource can be used to perform a cookie stealing attack if the application cookies are not using the "Secure" attribute.
Upvotes: 1
Related Questions
- Redirect http to https via IIS
- ASP.NET - rewriting all https requests to http
- Redirecting site from http to https using url rewrite in IIS 8.5
- Rewriting URLs from https:// to http:// in IIS7
- URL Rewrite from HTTPS to HTTPS
- Force https redirect on all http requests on IIS
- Rewrite URLs on an HTTPS page to HTTP
- IIS 7 URL Rewrite for HTTPS
- Forcing HTTPS and avoid duplicate URLS using IIS7 URL Rewrite Module
- ASP.NET: best practice for redirecting to https