• 6 hours
  • Medium
License

Free online content available in this course.

course.header.alt.is_video

course.header.alt.is_certifying

Got it!

Last updated on 12/20/19

Implement SSL and Require HTTPS

SSL Review

In the .NET Core MVC course, you learned how to integrate SSL into an Azure App Service to assign a custom domain. As a quick reminder, let me reiterate what was said in this regard:

Set up a custom domain

Assigning a custom domain to your app is always nice, and it can be done for any Azure App Service. We will not require you, as part of this course, to assign custom domain for your app. To do so is simply too costly for a tutorial project such as this. However, we do want to make you aware of what is required to do so, should you decide to at a later date. Here are the things you’ll need to consider and do before a custom domain can be assigned:

  1. Upgrade the pricing tier for your app service on Azure. The lowest pricing tier that allows custom domains is S1, which will cost an estimated $74.40 USD per month.

  2. Purchase the desired domain from your preferred domain provider. The cost can vary from a few dollars to several thousands, depending on the domain.

  3. Purchase a Secure Sockets Layer (SSL) certificate from your domain provider or other vendor. The cheapest option for this will usually cost around $5 - $6 monthly, or about $65 - $70 annually.

  4. Upload your SSL certificate to your Azure account and bind it to your app service. Specific instructions to do so may be found in the Microsoft Azure documentation here.

  5. Assign and configure the desired domain(s) in your app service properties. 

In the interest of keeping things as inexpensive as possible for our students, that’s as far as we’ll take this subject for this course. This at least provides you with a checklist of what you’ll need to do once you’re ready to assign a custom domain to one of your applications.

While SSL is required to set up a custom domain for an App Service on Azure, that’s definitely not the only reason to use it. Using SSL and requiring a secure HTTPS connection for your website or application assures users that the information they may divulge on your site is protected from potential threats. In fact, without it, your site visitors may not even get to your site. They may see a message like this instead: 

The message reads: Your connection to this site is not secure.
Warning message

That’s not something that instills confidence. I’m sure you’ve encountered something similar as you’ve browsed online. And unless you knew for certain that the site to which you were trying to navigate was valid and OK (something you built, for example), then you probably chose not to proceed and navigated right back to where you came from.

If you want online traffic, warnings like this aren’t much of a help, which is why SSL is so important.

It should be noted that not all SSL certificate services require a financial commitment. There are some folks out there that believe online security should be made available to everyone. One example is Let’s Encrypt, a free, automated, and open certificate authority. There are other free SSL services out there as well, but if you go this route, remember that not all services are created equal. Be sure the one you select is reputable. Free SSL may require a bit more work on your part to maintain your site’s secure status, but if money is an obstacle, then a little extra work may be a small price to pay. 

Require HTTPS

Requiring HTTPS is a simple thing to do, and it only takes a moment to ensure that your applications require this protocol. It makes sure that data transmitted from your site is encrypted and offers your site’s visitors a small sense of security and trust.

The easiest way to set this requirement up for your application is on Azure. You’ll assign this requirement to the app service that contains your application.

  1. Navigate to the desired app service on your Azure account.

  2. Locate and click the TLS/SSL link in the left navigation menu. 

    Locate and click the TLS/SSL link in the left navigation menu.
    Click TLS/SSL settings

  3. Turn the Require HTTPS switch on by clicking it. 

    Turn the Require HTTPS switch on by clicking it.
    Turn the Require HTTPS switch on

That’s all it takes! Is there any reason not to apply such a simple feature to your applications and offer your users a bit more peace of mind? I recommend making this small step a standard practice for all of your web applications.

Let’s Recap!

This chapter concludes the course on securing ASP.NET Core web applications. In this chapter we:

  • Reviewed and reiterated the importance of SSL. 

  • Learned how to require the HTTPS protocol for your applications.

Now let's put it all together!

Example of certificate of achievement
Example of certificate of achievement