![]() Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. ![]() I looked up what does and how it can have an impact on security.HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. But if an intruder managed to do local requests on your server, you are toast anyway and SSl is not your priority at the moment. One might argue that I’m creating a security hole by not redirecting to https on local requests. I think this is a good-aggressive implementation. And if request comes that is not secured and not GET, throw exception. If you are lazy enough to follow the link to the source code, I’ll tell you all this attribute does is check if incoming request schema used is https (that is what Request.IsSecureConnection does), if not, redirect all GET request to https. when connection to the application is local, don't do any HTTPS stuff Throw new ArgumentNullException("filterContext") Public override void OnAuthorization(AuthorizationContext filterContext) So I inherited RequireHttpsAttribute and added logic to ignore all local requests: public class RequreSecureConnectionFilter : RequireHttpsAttribute Quick study of source code highlighted that the class is not sealed and I can just inherit this class. Instead of configuring SSL on local IIS, I decided to be a smart-ass and work around it. Maybe there is a script that can do that automatically, but I could not find one quickly. And configuring SSL on dev machines is a waste of time. If you allow people to work from home, their home machines must be configured to work with SSL. If you work in team, all dev machines must be configured with SSL. Problem with this filter – once you add it to your app, you need to configure SSL on your development machine. But luckily this class is also implements IAuthorizationFilter interface, which means this can be used globally on the entire app as a filter. ![]() And I hate it for that – it encourages for bad practices. This is named as Attribute and can be used as an attribute on separate MVC controllers and even actions. All you need to know about is RequireHttpsAttribute. Redirecting to HTTPS schema is pretty simple in modern MVC. I had a rough idea of what I needed to do, and now that I’ve done it a few times on different apps, my process is now ironed-out and I can share that with you here. Problem I faced when I wanted to implement complete “HTTPS Everywhere” in my MVC applications is lack of implementation instructions. Listen to this guy, he knows what he is talking about. Have you read it? Troy there explains why you want to have HTTPS Everywhere on your site, not just on a login page. See that link above? Go and read it! Seriously. And Troy Hunt will whack you over your had for doing that! There have been numerous rants about security holes awaiting for you down that path. Despite of that when I google for implementation of HTTPS in ASP.Net MVC applications, I find only a handful of horrible questions on StackOverflow, about how to implement HTTPS only on certain pages (i.e. HTTPS everywhere is a common theme of the modern infosys topics.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |