New Azure Web Sites and SSL (HTTPS)

The newly released Azure Web Sites doesn’t yet allow you use your own SSL certificates. You can secure the channel by using their *.azurewebsites.net cert, but you can’t stop someone using plain old “http”. In order to secure your whole site, add the following to your web.config to force redirection to https.

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <rewrite>
      <rules>
        <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)"/>
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$"/>
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

If you’re using ASP.NET MVC (V2 onwards), you don’t need this, you can simply add [RequireHttps] to any of your controller actions.

Advertisements