I have an odd issue when querying a node from umbraco my .url is always coming back as https:// how can i ensure this sitewide, without having to manually do .replaces's on each url.
I find on Azure this setting is not necessary for an HTTPS site. Urls are returned beginning with "/" and when clicked the browser will automatically add the https and the domain name.
So I'm not entirely sure why this setting is needed?
FYI My dev site is Http with the same USeHttps setting of false and that works fine too.
It works fine but it is not secure, your authentication cookie is not marked as secure when you do this, meaning it can get sent over the network outside of the secure channel in clear text. This makes you vulnerable to a man-in-the-middle attack (so make sure nobody is logging into the site on a shared Starbucks network 😉).
I wonder how many umbraco sites don't have this set just because developers are not aware of the implications. It may be worth HQ sending this out in a security bulletin. I'm definitely not hitting my site from Starbucks again lol!
Umbraco https://
I have an odd issue when querying a node from umbraco my .url is always coming back as https:// how can i ensure this sitewide, without having to manually do .replaces's on each url.
as currently my form actions like this:
are coming back as http
Hi Louis
The best way is to add a redirect for all requests to force
https
That's not an answer to the question though @Alex - it still doesn't generate https urls. :)
In order for Umbraco to help you with this, go into the web.config and in v7 find
umbracoUseSsl
( https://our.umbraco.com/documentation/Reference/Config/webconfig/#umbracousessl ) and set it totrue
.In v8 that setting would be
Umbraco.Core.UseHttps
that needs to be set totrue
.I find on Azure this setting is not necessary for an HTTPS site. Urls are returned beginning with "/" and when clicked the browser will automatically add the https and the domain name.
So I'm not entirely sure why this setting is needed?
FYI My dev site is Http with the same USeHttps setting of false and that works fine too.
It works fine but it is not secure, your authentication cookie is not marked as secure when you do this, meaning it can get sent over the network outside of the secure channel in clear text. This makes you vulnerable to a man-in-the-middle attack (so make sure nobody is logging into the site on a shared Starbucks network 😉).
Ps. There are other things this setting does, but I can't remember off the top of my head. :)
Excellent point! Thanks.
I wonder how many umbraco sites don't have this set just because developers are not aware of the implications. It may be worth HQ sending this out in a security bulletin. I'm definitely not hitting my site from Starbucks again lol!
You cna set the hostname in culture and hostnames to explicityly use https:// at the start of the url,
cheers guys
is working on a reply...