Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • louisjrdev 107 posts 344 karma points c-trib
    Mar 05, 2019 @ 12:39
    louisjrdev
    0

    Umbraco https://

    I have an odd issue when querying a node from umbraco my .url is always coming back as https:// how can i ensure this sitewide, without having to manually do .replaces's on each url.

    as currently my form actions like this:

    action="@Model.Content.Url"
    

    are coming back as http

  • Alex Skrypnyk 6150 posts 24110 karma points MVP 8x admin c-trib
    Mar 05, 2019 @ 13:53
    Alex Skrypnyk
    1

    Hi Louis

    The best way is to add a redirect for all requests to force https

    <configuration>
      <system.webServer>
        <rewrite>
          <rules>
            <rule name="Redirect to HTTPS" enabled="false">
              <match url="(.*)" />
              <conditions>
                <add input="{HTTPS}" pattern="off" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            </rule>
          </rules>
        </rewrite>
      </system.webServer>
    </configuration>
    
  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Mar 05, 2019 @ 14:15
    Sebastiaan Janssen
    100

    That's not an answer to the question though @Alex - it still doesn't generate https urls. :)

    In order for Umbraco to help you with this, go into the web.config and in v7 find umbracoUseSsl ( https://our.umbraco.com/documentation/Reference/Config/webconfig/#umbracousessl ) and set it to true.

    In v8 that setting would be Umbraco.Core.UseHttps that needs to be set to true.

  • john blair 48 posts 219 karma points
    Oct 01, 2019 @ 10:35
    john blair
    0

    I find on Azure this setting is not necessary for an HTTPS site. Urls are returned beginning with "/" and when clicked the browser will automatically add the https and the domain name.

    So I'm not entirely sure why this setting is needed?

    FYI My dev site is Http with the same USeHttps setting of false and that works fine too.

  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Oct 01, 2019 @ 14:17
    Sebastiaan Janssen
    0

    It works fine but it is not secure, your authentication cookie is not marked as secure when you do this, meaning it can get sent over the network outside of the secure channel in clear text. This makes you vulnerable to a man-in-the-middle attack (so make sure nobody is logging into the site on a shared Starbucks network 😉).

  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Oct 01, 2019 @ 14:18
    Sebastiaan Janssen
    0

    Ps. There are other things this setting does, but I can't remember off the top of my head. :)

  • john blair 48 posts 219 karma points
    Oct 01, 2019 @ 15:40
    john blair
    0

    Excellent point! Thanks.

    I wonder how many umbraco sites don't have this set just because developers are not aware of the implications. It may be worth HQ sending this out in a security bulletin. I'm definitely not hitting my site from Starbucks again lol!

  • louisjrdev 107 posts 344 karma points c-trib
    Mar 05, 2019 @ 14:17
    louisjrdev
    0

    You cna set the hostname in culture and hostnames to explicityly use https:// at the start of the url,

    cheers guys

Please Sign in or register to post replies

Write your reply to:

Draft