Switch from HTTP to HTTPS in existing ASP.NET web application
Switch complete traffic from unsecured to secured with web.config update
Starting from few years ago, Google enforces secured over unsecured website traffic. However it is an ongoing process since both publishers and advertisers need to implement HTTPS in order to avoid mixed contnet exception in a browser and preventing ads to load on a website.
Why switching from HTTP to HTTPS?
HTTPS adds additional steps on page load which is encryption and decryption of the request and response data. This also adds an additional CPU overload on both side. So why it is better?
Beside adding a small CPU overhead on the encryption and description steps, it provides security in terms of newsletters subscriptions, registrations, logins or any other data submission operation. Beside, apart from Google, most of the this parties such as Twitter, Disqus, Facebook are enforcing secured over unsecured communication, so in order to integrate any of these third party elements on your page you need to switch to HTTPS.
Swicthing with minimum impact
The issue with switching to HTTPS from HTTPS might be in a case when you already have a long running website which is already indexed with Google. In this case switching to only HTTPS will reduce the number of visits until the new secured content is indexed.
This is not completely true. HTPP binding on the port 80 still stays, you just need to redirect to HTTPS which is on port 443.
IIS comes with URL Rewrite Module for IIS right out of the box which can be used by referencing it from web.config. A nice video walk-thought on how to use URL Rewrite Module can be found at Microsoft MSDN library along with documentation on how to create rule for URL Rewrite Module on IIS
<configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true"> <match url="(.*)" /> <conditions logicalGrouping="MatchAny"> <add input="{SERVER_PORT_SECURE}" pattern="^0$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" /> </rule> </rules> </rewrite> </system.webServer> <configuration>
Make sure you have URL Rewrite Module on your hosting IIS. Absence of URL Rewrite module can cause Configuration Exception after referencing the module in web.config
This way all HTTP request will be rewritten to HTTPS automatically ending up with all traffic to you website regardless user requested HTTP or HTTPS will end up with HTTPS.
References
- https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-video-walkthrough
- https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
- https://support.google.com/webmasters/answer/6073543?hl=en
- https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
- https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content
Disclaimer
Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.
Comments for this article