Home > Blockchain >  Enforcing ASP .NET Core 2.1 to use HTTPS and return 400 Error
Enforcing ASP .NET Core 2.1 to use HTTPS and return 400 Error

Time:09-28

I have an older ASP .NET Core 2.1 app, which has been accepting HTTP requests.

I need now the app to Stop using HTTP and use HTTPS only and return 40x errors for any HTTP requests automatically/by default.

I have done the following:

  • added app.UseHttpsRedirection(); to the Configure method; also added
  • added "https_port": 443, to the appsettings.json
  • I also tried to enable "HTTPS Only" on the app itself (in Azure).

But it still accepts and returns the same responses (and 200) whether I use HTTP or HTTPS calls.

Any suggestion on what am I missing to implement here?

Here is part of my Startup.cs:

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        app.Use(async (context, next) =>
        {
            if (context.Request.Method == "OPTIONS")
            {
                context.Response.StatusCode = 405;
                return;
            }
            await next.Invoke();
        });
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }
        app.UseHttpsRedirection();

        app.UseUsageLogging();
        app.UseSerilogRequestLogging();
        app.UseCoreExceptionHandling();

        app.UseAuthentication();
        app.UseCors("CorsPolicy");
        app.UseAspNetCoreAuth();

...

Here are the requests, which both returns 200 OK, and the same data:

http://myapp.net/ping

https://myapp.net/ping

Or am I missing how it is supposed to work?

Updated: Even if I remove the HttpsRedirection part, and leave the only app.UseExceptionHandler - it is still not working as expected (all HTTP are still going thru and returns the same data as HTTPS).

CodePudding user response:

As far as I know, if you used the UseHttpsRedirection, it will redirect all the http request to the HTTPS. That means your websites will not contain any http request which send to your server. There is no need to return 400 when using the http.

Your server will let all the http request redirect to https. I suggest you could try to use browser F12 develop tool to chck if this httpsredirection is working well or not.

CodePudding user response:

It appeared that the best way is to migrate v2.1 to v3.1. Then also create own package to use TLS for Remote Connections, and disable the app.UseHttpsRedirection();

  • Related