Is it possible to have IIS require SSL and redirect HTTP at the same time?

Solution 1:

If you turn on Require SSL then HTTP requests will fail immediately.

One trick we used (using ASP.NET) before doing the same was to check for the protocol on the default page, then issue a friendly warning, e.g.

If Not Request.IsSecureConnection Then
    loginform.visible = False
    ltl_warning.Text = "Non-secure connections will be disabled in one month, please use the secure address only: https://mysite.com"
End If

Solution 2:

The "Require SSL" still responds without SSL, so MITM attacks are still a possibility.

To secure the site, you should use the redirect, and then send the Strict-Transport-Security header, so that after the first visit, the users browser won't event attempt to connect without using SSL.

Further Reading

  • HTTP to HTTPS redirects on IIS 7.x and higher - Not related to STS
  • How to enable HTTP Strict Transport Security (HSTS) in IIS7+