Enabling HTTPS redirection in ASP.NET Core is essential for securing web applications and protecting sensitive data transmitted between clients and servers. HTTPS ensures encrypted communication using SSL/TLS, preventing man-in-the-middle attacks, data tampering, and credential theft. Modern browsers also mark HTTP-only websites as insecure, making HTTPS configuration a critical requirement for production-ready ASP.NET Core applications.
This article explains how to enable HTTPS redirection in ASP.NET Core, configure development certificates, handle reverse proxy scenarios, and apply security best practices for enterprise environments.
Why HTTPS Redirection Is Important
HTTPS provides:
Encrypted communication using TLS
Improved SEO ranking
Browser trust and security indicators
Protection for authentication tokens and cookies
Compliance with security standards
Without HTTPS redirection, users may access your application over HTTP, exposing sensitive data.
Enable HTTPS Redirection in ASP.NET Core
ASP.NET Core provides built-in middleware to automatically redirect HTTP requests to HTTPS.
In Program.cs:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.MapControllers();
app.Run();
The UseHttpsRedirection middleware automatically sends a 307 Temporary Redirect (or 308 Permanent Redirect) response to redirect HTTP traffic to HTTPS.
Configure HTTPS Port in launchSettings.json
Ensure the correct HTTPS port is configured:
"applicationUrl": "https://localhost:5001;http://localhost:5000"
If the HTTPS port is not configured properly, redirection may fail during development.
Trust Development HTTPS Certificate
For local development, trust the ASP.NET Core development certificate:
dotnet dev-certs https --trust
Restart the application after trusting the certificate.
Enforce HTTPS in Production with HSTS
To enforce strict HTTPS usage, enable HTTP Strict Transport Security (HSTS).
if (!app.Environment.IsDevelopment())
{
app.UseHsts();
}
HSTS instructs browsers to only use HTTPS for future requests, improving security in production environments.
Configure Kestrel for HTTPS
If hosting directly with Kestrel, configure HTTPS endpoints in appsettings.json:
"Kestrel": {
"Endpoints": {
"Https": {
"Url": "https://0.0.0.0:5001"
}
}
}
For production deployments, use a valid SSL certificate issued by a trusted Certificate Authority.
HTTPS Redirection Behind Reverse Proxy
When hosting behind IIS, Nginx, or Azure App Service, ensure forwarded headers are configured properly.
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto
});
This ensures ASP.NET Core correctly detects HTTPS requests when behind a load balancer or reverse proxy.
Customize HTTPS Redirection Status Code
You can configure the redirection behavior:
builder.Services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status308PermanentRedirect;
options.HttpsPort = 5001;
});
Using 308 Permanent Redirect is recommended for production environments.
Common Issues and Solutions
| Issue | Cause | Solution |
|---|
| Infinite redirect loop | Missing forwarded headers | Configure UseForwardedHeaders |
| Certificate warning | Untrusted SSL certificate | Trust dev certificate or use valid CA |
| Redirection not working | Missing UseHttpsRedirection | Add middleware in correct order |
| Mixed content error | HTTP resources inside HTTPS page | Update all resource URLs to HTTPS |
Security Best Practices
Always use HTTPS in production
Enable HSTS outside development
Use strong TLS versions
Redirect HTTP permanently in production
Avoid hardcoding ports in cloud environments
Monitor SSL certificate expiration
Proper HTTPS configuration improves application security posture and user trust.
Summary
Enabling HTTPS redirection in ASP.NET Core ensures secure communication by automatically redirecting HTTP traffic to HTTPS using built-in middleware such as UseHttpsRedirection and HSTS. By properly configuring development certificates, setting the correct HTTPS port, handling reverse proxy scenarios with forwarded headers, and deploying trusted SSL certificates in production, developers can protect sensitive data, prevent security vulnerabilities, and meet modern web security standards in scalable ASP.NET Core applications.