在asp.net中最好的方式来强制HTTPS为整个网站？ [英] Best way in asp.net to force https for an entire site?

问题描述

大约6个月前我铺开，其中每个请求需要通过HTTPS站点。当时唯一的办法我能找到，以确保一个页面的每个请求是通过HTTPS是检查它在页面加载事件。如果请求不通过HTTP我的Response.Redirect（https://mysite.com）

About 6 months ago I rolled out a site where every request needed to be over https. The only way at the time I could find to ensure that every request to a page was over https was to check it in the page load event. If the request was not over http I would response.redirect("https://mysite.com")

有没有更好的方法？ - 最好在web.config中的一些设置。

Is there a better way -- ideally some setting in the web.config?

推荐答案

请使用HSTS

从<一个href=\"http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx\">http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

原来的答案

基本上

protected void Application_BeginRequest(Object sender, EventArgs e)
{
   if (HttpContext.Current.Request.IsSecureConnection.Equals(false) && HttpContext.Current.Request.IsLocal.Equals(false))
   {
    Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"]
+   HttpContext.Current.Request.RawUrl);
   }
}

这将走在Global.asax.cs中（或global.asax.vb）

that would go in the global.asax.cs (or global.asax.vb)

我不知道的一种方式在web.config中指定它

i dont know of a way to specify it in the web.config

这篇关于在asp.net中最好的方式来强制HTTPS为整个网站？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！