3

How can I enforce use of ssl secure connection via https for Blazor web assembly?

I tried adding 

app.UseHttpsRedirection();

to Startup.cs of a server project (api) but that didnt do anything.

I want to enforce it for both api and client of blazor web assembly app.

EDIT

Since we are going back and forth if an app is secure enough if only API is secured, I would like to rephrase my question. How do I redirect a page from a http to https on initial start of blazor client?

mko
  • 6,638
  • 12
  • 67
  • 118
  • that makes no sense. i mean for the server ok, but could you add some useful information? like what do you mean with enforceing it for the client blazor web assembly app? like enforce it for the download of the app? or should the app only be able to use https? – Patrick Beynio Mar 11 '20 at 11:58
  • How would your browser understand that this is a https page? I dont think browser at this point really cares if your connection to api is secure to consider your site to be secured. – mko Mar 11 '20 at 12:01

2 Answers2

1

How to enforce SSL on server side is described here: enforcing-ssl

But enforcing it for the client just makes little to no sense and i think there is no way to really force it!
Of cause you could wrap HttpClient to only use https, but there is not a single benefit i could imagine.

Patrick Beynio
  • 788
  • 1
  • 6
  • 13
  • Using https for API calls seems sensible enough. – H H Mar 11 '20 at 12:12
  • but you do that on the API's side usually, like he wants also... and if he talks to 3rd party API's CORS will prevent non https requests anyway – Patrick Beynio Mar 11 '20 at 12:18
  • Yes, I have seen it already and it is relevant for securing API. I am looking for a way to redirect SPA to https. End user doesnt really know if you are running SPA or something else. He wants to get a sense of using a secure app. – mko Mar 11 '20 at 12:18
  • you can probably do that by something like apache mod_rewrite or whatever your server supports – Patrick Beynio Mar 12 '20 at 12:53
1

It cannot be done in code or the config of the Web App. It can however be set in the settings on the server. If you are hosting your App in Azure you can enforce use of HTTPS by setting the "HTTPS Only" setting to true under the "TLS/SSL" category of the App Settings. If you are hosting it elsewhere you will need to change your server web.config file to include a redirect rule (see here: How to force HTTPS using a web.config file).

Jonathan Gill
  • 21
  • 3