This is the fourth of a new series of posts on ASP .NET Core. This week, we’ll be looking at the use of HTTPS in ASP .NET Core projects (using HTTP/1.1 today) and also HTTP/2 support for future ASP .NET Core projects.
HTTPS and SSL
If you’re reading this blog post, you’re probably familiar with HTTPS and the little lock symbol that appears on websites that have a valid SSL certificate. It’s actually TLS these days, and you can read more about SSL, TLS and HTTPS here:
Recently, the popular Google Chrome browser received an update that automatically displays a “Not Secure” message for any website that doesn’t use SSL. To address this, I updated this blog site to ensure that all embedded content use HTTPS when the site is loaded with HTTPS. I took it one step further and always enabled SSL so that site visitors going to WakeUpAndCode.com (with just HTTP) will be redirected to https://WakeUpAndCode.com.
This site is a WordPress site, so I was able to make the last change by installing a free plugin called Really Simple SSL.
If you’re not convinced you need SSL, just read this thread on Twitter:
I so often get re-explaining from others that "localhost doesn't need local https". eyeroll.
this is not universally true. this tweet thread is the last time i'm gonna explain. henceforth it will just be linked to.
— getify (@getify) July 28, 2018
EDIT: If you need another nudge in the right direction, here’s a gentle reminder from Troy Hunt, a well-known influential computer security expert in the Microsoft world. Troy highlights an anti-HTTPS debate that illustrates why it doesn’t make sense to be against it.
Ah, the memories! This just came across my timeline again today, I’ve since been blocked for this and those tweets were deleted. Some people are *really* passionate about (not using) HTTPS! https://t.co/2wcVrbX175
— Troy Hunt (@troyhunt) November 6, 2018
HTTPS in ASP .NET Core
For years, it has been too easy for ASP .NET developers to build Web Apps and Web APIs without any HTTPS during development. It wasn’t uncommon for web application developers to make excuses about not running their web apps with SSL on their local development environments, even if the application needed to be deployed to production with SSL (which production app doesn’t?).
So, what’s changed now? ASP .NET Core 2.1 has made it really easy to get started with SSL from Day 1. Depending on your development tool and your operating system, the steps may vary.
On Windows or MacOS, you can simply type the following CLI command:
> dotnet dev-certs https --trust
You should see a popup asking you whether you want trust the certificate or not. Confirm the popup to install the development certificate.
For more options (including the removal of a dev cert), use the –help option, as shown below:
> dotnet dev-certs https --help Usage: dotnet dev-certs https [options] Options: -ep|--export-path Full path to the exported certificate -p|--password Password to use when exporting the certificate with the private key into a pfx file -c|--check Check for the existence of the certificate but do not perform any action --clean Cleans all HTTPS development certificates from the machine. -t|--trust Trust the certificate on the current platform -v|--verbose Display more debug information. -q|--quiet Display warnings and errors only. -h|--help Show help information
What about Linux? For Linux, you’ll have to perform distro-specific steps for trusting the dev certificate, since there isn’t a standard way to do this across various Linux distributions.
To get an SSL certificate for use in production, refer to your SSL instructions in your web’ host’s documentation. For documentation on IIS7 or Azure, see the following instructions:
- IIS7: https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
- App Service: https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site
SSL (TLS!) in Visual Studio
EDIT: As mentioned at the beginning of this article, it’s actually TLS these days, even though people talk about SSL and SSL certificates. You may revisit the aforementioned Symantec article on SSL, TLS and HTTPS. Thanks, Jon Galloway, for reiterating this during the ASP .NET Community Standup on Tue Oct 30, while kicking off the standup with this blog post. 🙂
Visual Studio 2017 makes it even easier to create an SSL certificate for use with ASP .NET Core projects during development. When you create a new project in VS 2017 using any of the templates, there is an option to “Configure for HTTPS”. Unless you have some unusual reason not to enable SSL, you should leave this option on to enable SSL.
When you create a new project using VS 2017 or dotnet new, the following code should be included within the template-generated project, inside the Configure() method of the Startup.cs class.
app.UseHsts(); ... app.UseHttpsRedirection();
The call to app.useHsts() is typically used in a Production environment, and should be wrapped in the else portion of an if statement that checks whether you’re in a Development environment or not. To learn more about HSTS, check out the following documentation:
- Using HSTS while enforcing SSL: https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.1&tabs=visual-studio#http-strict-transport-security-protocol-hsts
The call to app.UseHttpsRedirection() is what allows your application to always force HTTPS usage by redirecting site users to the HTTPS version of your site even if they attempt to browse the HTTP version of your site.
To see this in action, check out the Startup.cs file from my earlier sample projects, from my previous blog posts, e.g.
MVCWebApp from PagesDemo: https://github.com/shahedc/PagesDemo/blob/master/MvcWebApp/Startup.cs
SimpleUpload: https://github.com/shahedc/SimpleUpload/blob/master/SimpleUpload/Startup.cs
HTTP/2 in ASP .NET Core
Before we wrap up, let’s cover some high-level information on HTTP/2. First of all, what is it and why should we care? HTTP has been around for decades, without any push for a major upgrade since 1.1. Until now. With HTTP/2’s introduction in 2015 and browser support pouring in since then, dev tools and web servers are also allowing any developer to make use of the features that HTTP/2 has to offer.
On the roadmap for ASP .NET Core 2.2, it mentions support for HTTP/2 in Kestrel and HttpClient:
- ASP .NET Core 2.2 Roadmap: https://github.com/aspnet/Announcements/issues/307
While Kestrel’s HTTP/2 doesn’t have everything you would expect in HTTP/2 at this time, the ASP .NET Web Dev Blog has a good writeup on this:
- ASP .NET Blog: https://blogs.msdn.microsoft.com/webdev/2018/08/22/asp-net-core-2-2-0-preview1-http-2-in-kestrel/
Benefits of HTTP/2 include header compression and fully multiplexed streams over the same connection. According the above documentation, this “allows multiplexed streams over the same TCP connection” which is coming in ASP .NET Core 2.2, so stay tuned!
For more on HTTP/2, check out Daniel Roth’s video on “What’s new in ASP .NET Core?” from .NET Conf 2018 (September 2018), in the following video. You may jump straight to 39:00 to get to the part about HTTP/2 in ASP .NET Core.
- HTTP/2 @ 39:00: https://youtu.be/DDBmvOPfqzA?t=2340
The corresponding source code can be obtained on Github:
danroth27/Http2Test: https://github.com/danroth27/Http2Test
References
- What’s coming in ASP.NET Core 2.2: http://www.talkingdotnet.com/whats-coming-in-asp-net-core-2-2/
- ASP.NET Core 2.2 Roadmap: https://github.com/aspnet/Announcements/issues/307
- HTTP/2 in Kestrel: https://blogs.msdn.microsoft.com/webdev/2018/08/22/asp-net-core-2-2-0-preview1-http-2-in-kestrel/
- Developing locally with ASP.NET Core under HTTPS, SSL, and Self-Signed Certs – Scott Hanselman: https://www.hanselman.com/blog/DevelopingLocallyWithASPNETCoreUnderHTTPSSSLAndSelfSignedCerts.aspx
- Enforce HTTPS in ASP.NET Core: https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.1&tabs=visual-studio
- How to make an Azure App Service HTTPS only: https://blogs.msdn.microsoft.com/benjaminperkins/2017/11/30/how-to-make-an-azure-app-service-https-only/
- Securing an Azure App Service Website under SSL in minutes with Let’s Encrypt: https://www.hanselman.com/blog/SecuringAnAzureAppServiceWebsiteUnderSSLInMinutesWithLetsEncrypt.aspx
- Bind an existing custom SSL certificate to Azure Web Apps: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl
Pingback: Dew Drop - October 29, 2018 (#2833) - Morning Dew
Pingback: Szumma #133 – 2018 43. hét – ./d/fuel
Nice, but I’m not sure if Symantec is the best resource to describe https and ssl
Good point, Thomas! There are plenty of resources online so I just picked one whose content I found useful. Feel free to suggest additional articles with links, and I’ll add to the post.
Thanks for your feedback!
Pingback: Middleware in ASP .NET Core | Wake Up And Code!
Pingback: Middleware in ASP .NET Core 3.1 | Wake Up And Code!