Aspnetcore.docs: New doc: Require HTTPS on Web APIs

@blowdart can you supply a link to information on securing Web APIs?

By enforcing HTTPS only? I don't think we have one.

@blowdart changed the title to new doc: Require HTTPS on WebAPI

@blowdart or is the instructions good enough:

Not listen on HTTP.
Close the connection with status code 400 (Bad Request) and not serve the request.

I think we need to provide a page which talks about how.

Perhaps the Basic Middleware repo should add a middleware to return 400 for HTTP requests?

If you have app.UseHsts() I assume that is valid for WebApi as well?

@nbarbettini wrote a nice article on this topic.
https://www.recaffeinate.co/post/enforce-https-aspnetcore-api/

I think what is missing from both articles is guidance or a link for how to configure IIS to force HTTPS only. If you don't, and you abort in the middleware or return a 400, it is too late, the "secret" data has already been transmitted in the clear.

UseHsts doesn't seem to be enough on its own either as it requires a browser to have seen the header before sensitive data is sent. This isn't helpful if your "client" is not a browser.

@blowdart / @Rick-Anderson: Was there an page written for Web APIs in the end? Or is @nbarbettini article good enough?

@garfbradaz we're still waiting for a doc by @blowdart

@asymmetricblue
Thanks that helps.
Two thoughts:
1) If the app has both razor pages and an API, it is not convenient to restrict IIS for the app to HTTPS, as users my just type in the domain, and expect to be redirected to HTTPS.
2) Assuming the consumer will test using the API before production, it should be enough to just return an error on HTTP. (not redirect silently).

@Rick-Anderson Thanks for the response on a Saturday matey 🥇 Waiting patiently for @blowdart ……. 🔢

Still patiently waiting @Rick-Anderson.... ;)

@blowdart is this something you plan to do?

The instructions rick suggested and I approved are fine, and should be documented, but I had figured after that approval that was where my input ended. The addition of hosting the api in app is more complicated, the easy out there is a rewrite in web.config, along with HSTS with a dire warning that if you have external api calls with an app that needs to use HTTPS and nothing else and we can't enforce this.

the easy out there is a rewrite in _web.config_, along with HSTS with a dire warning that if

@blowdart _web.config_ is only used in IIS -
See https://stackoverflow.com/questions/9823010/how-to-force-https-using-a-web-config-file
is that what you intended?

What if you're not using IIS?

You'd configure nginx or whatever you're using.

I think the doc needs to cover two things

1) Your API on a separate host. Like sane people do grin That's easy. Only bind to HTTPS.

2) You share your API with a website. Redirect up to HTTPS. Send HSTS. Clear warning that there is a possibility of people calling your API over HTTP with non-browser clients, and HSTS won't help and you ought to consider moving to a separate host for HTTPS only.