Is it possible to have IIS require SSL and redirect HTTP at the same time?
Solution 1:
If you turn on Require SSL then HTTP requests will fail immediately.
One trick we used (using ASP.NET) before doing the same was to check for the protocol on the default page, then issue a friendly warning, e.g.
If Not Request.IsSecureConnection Then
loginform.visible = False
ltl_warning.Text = "Non-secure connections will be disabled in one month, please use the secure address only: https://mysite.com"
End If
Solution 2:
The "Require SSL" still responds without SSL, so MITM attacks are still a possibility.
To secure the site, you should use the redirect, and then send the Strict-Transport-Security header, so that after the first visit, the users browser won't event attempt to connect without using SSL.
Further Reading
- HTTP to HTTPS redirects on IIS 7.x and higher - Not related to STS
- How to enable HTTP Strict Transport Security (HSTS) in IIS7+