Recently our KashGuard project, a user permissions add in for KashFlow, required that we force the use of SSL so that our customer’s sensitive data would be safe in transit over the Internet.
We needed to ensure that all data sent over https://secure.kashguard.co.uk was encrypted but we also needed to have an automatic and graceful redirect should someone try to use regular http. So what do we do? We could have added code to all of our pages, or to our base page, or in the global events, to check if https was used, and if not then issue a redirect to https — you could, but we wouldn’t. Why not? This required a code change specifically to force SSL which would make it harder for our developers to run the site on their local machines when debugging. It would also make it harder for us to disable SSL should we have any need to. Finally it would ignore any non ASP.Net files that we may want to protect with SSL.
So we decided on a very simple IIS trick using host headers and two websites. Here’s how:
- We created two sites in IIS, one is configured to use port 80, the other is configured to use port 443 for SSL.
- The site we created to use port 80 was configured on the Home Directory tab to perform a redirect to https://secure.kashguard.co.uk. To do this we selected the “A redirection to a URL” option and entered https://secure.kashguard.co.uk in the “Redirect to” box. We also ticked “A permanent redirection for this resource” which tells search engines that it should not index the non SSL website.
Now any traffic attempting to come in from port 80 is permanently redirected to the actual site on the 443 port. This avoids placing scripts in a site and took five minutes to implement. Simples!
Great little tip!
I’m doing an IIS7 course this week, so this should score me some Brownie points when we cover the topic.
And please, no more meerkat “Simples”.
Great advice. I dont know how many times I have to tell people the very same things. Glad I’m not the only one.