ASP.NET Core  

Complete End-to-End Guide: HTTPS, HSTS, and TLS in ASP.NET Core

Securing your ASP.NET Core applications is non-negotiable in today’s cyber-threat landscape. By enforcing HTTPS, HSTS, and TLS, you ensure encrypted communication between clients and servers, protecting sensitive data from interception and attacks.

This guide provides a step-by-step, end-to-end implementation from development to production.

Prerequisites

  • Visual Studio 2022 or later with ASP.NET Core workload installed

  • .NET 7 or later

  • Basic understanding of ASP.NET Core MVC/Web API

Optional: Docker/Kubernetes for production deployment.

Step 1: Create an ASP.NET Core Web API Project

  1. Open Visual Studio → Create a new project → Select ASP.NET Core Web API.

  2. Choose .NET 7 , enable HTTPS , and leave Authentication as “None” for now.

  3. Click Create.

You now have a basic Web API project with HTTPS support enabled by default (self-signed certificate for development).

Step 2: Enforce HTTPS

Program.cs

  
    var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

// Force all HTTP requests to HTTPS
app.UseHttpsRedirection();

app.MapControllers();

app.Run();

launchSettings.json

  
    "profiles": {
  "MyApi": {
    "commandName": "Project",
    "dotnetRunMessages": true,
    "applicationUrl": "https://localhost:5001;http://localhost:5000"
  }
}

With this, your app automatically redirects HTTP requests to HTTPS during development.

Step 3: Enable HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always connect via HTTPS , preventing downgrade attacks.

Add Middleware

  
    if (!app.Environment.IsDevelopment())
{
    // Enable HSTS in production only
    app.UseHsts();
}

app.UseHttpsRedirection();

Optional HSTS Options

  
    app.UseHsts(options =>
{
    options.MaxAge = TimeSpan.FromDays(365); // enforce for 1 year
    options.IncludeSubDomains = true;
    options.Preload = true;
});

Important: Do not enable HSTS during development; browsers may cache HSTS headers and block HTTP requests.

Step 4: Configure TLS in Kestrel

ASP.NET Core uses Kestrel as the web server. Configure TLS to enforce secure protocols.

appsettings.json

  
    "Kestrel": {
  "Endpoints": {
    "Https": {
      "Url": "https://localhost:5001",
      "Certificate": {
        "Path": "certs/devcert.pfx",
        "Password": "StrongPassword123!"
      }
    }
  }
}

Program.cs

  
    builder.WebHost.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
        // Enforce TLS 1.2 and TLS 1.3
        httpsOptions.SslProtocols = System.Security.Authentication.SslProtocols.Tls12 |
                                   System.Security.Authentication.SslProtocols.Tls13;
    });
});

Step 5: Add Secure Cookies (Optional)

If your API or MVC app uses cookies:

  
    builder.Services.AddSession(options =>
{
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.SameSite = SameSiteMode.Strict;
});

Step 6: Production Certificates

Option 1. Use a Trusted CA

  • Purchase or generate a certificate from DigiCert, GlobalSign, or Sectigo.

  • Replace the development PFX with the production certificate.

Option 2. Let’s Encrypt (Free & Auto-Renewing)

  • Use Certbot or Win-ACME on Windows.

  • Bind the certificate to your app or IIS/Kestrel.

Step 7: Enforce Security Best Practices

  1. Redirect all HTTP requests to HTTPS.

  2. Enable HSTS with preload & includeSubDomains.

  3. Enforce TLS 1.2+.

  4. Use secure cookies with HttpOnly and SameSite .

  5. Rotate certificates regularly.

  6. Test with SSL Labs for vulnerabilities.

Step 8: Testing

  • Run the project → Access http://localhost:5000 → It should redirect to https://localhost:5001 .

  • Check browser dev tools → Security tab → TLS version in use.

  • Test HSTS using browser dev tools; response headers should be included.

Step 9: CI/CD & Deployment Considerations

  • Store certificates in Azure Key Vault or Docker secrets.

  • Enable HTTPS redirection and HSTS in production environments only.

  • Monitor certificate expiry to prevent downtime.

  • Use Kestrel or IIS reverse proxy for TLS termination.

By following these steps, you ensure your ASP.NET Core application is:

  • Enforcing HTTPS

  • Protected by HSTS

  • Using modern TLS protocols

  • Following best practices for production deployments

Security starts with encryption, and with HTTPS + HSTS + TLS, you protect your users’ data from interception and attacks.

Final Thoughts

While HTTPS, HSTS, and TLS secure your data in transit, they are just one part of a larger security strategy. Combine them with:

  • Authentication & Authorization (JWT, OAuth2)

  • Input Validation & Sanitization

  • Logging & Monitoring

  • Rate Limiting & Throttling

I can also prepare a ready-to-download Visual Studio demo project with:

  • HTTPS enforced

  • HSTS middleware

  • TLS 1.2+ configured

  • Self-signed development certificate

  • Secure cookie and session configuration

Membership not found