3

Is there improved security with web applications if you use "Require SSL" in the SSL Setting section of IIS? I was planning on creating a URL Rewrite rule.

crjunk
  • 949
  • 4
  • 21
  • 40

1 Answers1

4

"Require SSL" will cause a 403.4 Forbidden response if you try to access the site using http://example.com. It won't automatically redirect to the https:// url.

This may be confusing for users if you're not linking in some way to the https://example.com SSL'd url.

If you want users to be able to randomly hit the site using plain http:// and then redirect them to the SSL'd url then you're better off leaving "Require SSL" turned off and do a rewrite.

Kev
  • 118,037
  • 53
  • 300
  • 385
  • A URL rewrite is most likely what I am going to do. Trying to gather some technical facts before actually pursing that avenue so that our security audit requirements are met. I tried following this example, but I get a lock violation. Didn't realize that the server has IIS 8.5. http://www.jppinto.com/2009/04/automatically-redirect-http-requests-to-https-iis-7/ – crjunk Apr 29 '15 at 17:10