HTTPS
This article covers the recommended way of working with HTTPS and Umbraco CMS.
We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.
There are multiple benefits of HTTPS:
Trust - when your site is delivered over HTTPS your users will see that your site is secured, they are able to view the certificate assigned to your site and know that your site is legitimate
Removing an attack vector called "Man in the middle" (or network Sniffing)
Guards against Phishing, an attacker will have a hard time obtaining an authentic Secure Sockets Layer (SSL) certificate
Google likes HTTPS, it may help your site's rankings
Another benefits of HTTPS is that you are able to use the http2 protocol if your web server and browser support it.
Set UseHttps configuration option
Umbraco allows you to force HTTPS for all backoffice communications by using the following configuration:
In Umbraco 9, set the UseHttps key in appSettings
to true.
This options does multiple things when it is turned on:
Ensures that the backoffice authentication cookie is set to secure only (so it can only be transmitted over https)
All non-https requests to any backoffice controller is redirected to https
All self delivered Umbraco requests (those are scheduled publishing, keep alive, etc...) are performed over https
All Umbraco notification emails with links generated have https links
All authorization attempts for backoffice handlers and services will be denied if the request is not over https
Redirect traffic in code
The .NET5+ way to handle this, is by adding this HttpsRedirectionMiddleware
to your pipeline in Program.cs
. This can be done by adding app.UseHttpsRedirection();
before the call to app.UseUmbraco()
in the Configure
method:
Redirect traffic on IIS
Once you enable HTTPS for your site you should redirect all requests to your site to HTTPS. This can be done with an IIS rewrite rule. The IIS rewrite module needs to be installed for this to work, most hosting providers will have that enabled by default.
In your web.config
find or add the <system.webServer><rewrite><rules>
section and put the following rule in there. This rule will redirect all requests for the site http://mysite.com URL to the secure https://mysite.com URL and respond with a permanent redirect status.
The rule includes an ignore for localhost
. If you run your local environment on a different URL than localhost
you can add additional ignore rules. Additionally, if you have a staging environment that doesn't run on HTTPS, you can add that to the ignore rules too.
SSL versus Transport Layer Security (TLS)
In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or, formerly, its predecessor, Secure Sockets Layer (SSL) - wikipedia
While the deprecated SSL (2.0 and 3.0) are not supported anymore by modern browsers, some of the Umbraco configuration still uses SSL. But rest assured, that is only the name.
Last updated