Is it possible to have IIS require SSL and redirect HTTP at the same time?

redirect ssl iis-7.5

Solution 1:

If you turn on Require SSL then HTTP requests will fail immediately.

One trick we used (using ASP.NET) before doing the same was to check for the protocol on the default page, then issue a friendly warning, e.g.

If Not Request.IsSecureConnection Then
    loginform.visible = False
    ltl_warning.Text = "Non-secure connections will be disabled in one month, please use the secure address only: https://mysite.com"
End If

Solution 2:

The "Require SSL" still responds without SSL, so MITM attacks are still a possibility.

To secure the site, you should use the redirect, and then send the Strict-Transport-Security header, so that after the first visit, the users browser won't event attempt to connect without using SSL.

Further Reading

  • HTTP to HTTPS redirects on IIS 7.x and higher - Not related to STS
  • How to enable HTTP Strict Transport Security (HSTS) in IIS7+

Related

tomcat8 from wheezy-backports fails with configtest.sh
How can I create and install a domain signed certificate in IIS using PowerShell?
How to serve specific static files with nginx?
substring(int) method magically doesn't throw StringIndexOutOfBoundsException [duplicate]
Error: This property is defined but not available in this context
Even if I align text, it is not set to left aligned
How to make datatable specific column editable?
Mongoose query return null
How to navigate to homepage upon form submit in react web using react-router-dom v6.2.1?
Freeze table first two column
Display number in adaptive card
List generated from For loop with .append() of another JSON data