Padlock

Forcing SSL in IIS without being annoying

When we recently launched our site, and with everything going to HTTPS only, I wanted to force as much to HTTPS only as possible. There are many, many links on how to force HTTPS on an IIS server. The issue is that when you debug your application locally, you have to comment out that section of code, do your debugging and changes, then hope you don’t forget to uncomment out that section of code. I have finally found out to the force HTTPS and allow you to debug on localhost. Here is the code that you need in your web.config:

<system.webServer>
  <rewrite>
    <rules>
      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          <add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
          <add input="{HTTP_HOST}" matchType="Pattern" pattern="^127\.0\.0\.1(:\d+)?$" negate="true" />
        </conditions>
        <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

The HTTP_HOST lines are what need to be added then it will work! Reference