New Azure Web Sites and SSL (HTTPS)

The newly released Azure Web Sites doesn’t yet allow you use your own SSL certificates. You can secure the channel by using their * cert, but you can’t stop someone using plain old “http”. In order to secure your whole site, add the following to your web.config to force redirection to https.

    <validation validateIntegratedModeConfiguration="false" />
        <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)"/>
            <add input="{HTTPS}" pattern="^OFF$"/>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>

If you’re using ASP.NET MVC (V2 onwards), you don’t need this, you can simply add [RequireHttps] to any of your controller actions.