It seems in light of revelations surrounding security of websites that there are more and more sites utilizing HTTPS instead of HTTP. The older reasons not to adopt HTTPS such as the burden on server and client processors has pretty much dissapeared. There is no real reason not to implement HTTPS and if you want to use protocols such as SPDY or HTTP/2 then you have to enforce a secure connection. To do this in an MVC project you have to do a few things, firstly add a filter to the GlobalFilterCollection like this:-



This code implements the RequireHttpsAttribute and allows through http connections if it is running on localhost which is ideal for a development team that doesn’t want to start messing arround with certificates.

Then you need to edit the web.config, again in a dev environment you can get away with creating transforms that will add the security side of things when you do a publish under that configuration.

The main points in the above code are the requireSSL attributes and the customHeaders element of system.webServer. The Strict-transport-Security custom header enforces HSTS which tells the browser to only connect on HTTPS and never on HTTP; this helps prevent such attacks as cookie hijacking.

In Chrome dev tools you should see this in the Response header:-

Strict-Transport-Security:max-age=16070400; includeSubDomains

Where the max-age is how long the browser will connect over HTTPS for; Twitter for example sets a max age of 20 years to prevent any attack on their servers circumventing HTTPS.