Aspnetcore: Enable HTTPS in all blazor templates

Can we set the project templates to default to HTTPS ?

I'm thinking of the Blazor aspnet core server sample, this should set Https redirect if not IsDevelopment, as per https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.1&tabs=visual-studio

How can I setup blazor to properly handle HTTPS manually? Currently getting "405 - HTTP verb used to access this page is not allowed." Seems like the Blazor client is not setup properly so it is routing requests using HTTP rather than HTTPS.

No, that error shouldn't have anything to do with HTTPS. It can mean, for example, that you're trying to POST to a resource that only accepts GET.

Are you using client-side or server-side Blazor? If the latter, is this on IIS, and do you have WebSockets support enabled?

Before we enable HTTPS for the Blazor templates we need to resolve how to deal with compression of the static assets under HTTPS: https://github.com/aspnet/AspNetCore/issues/6925

Agree. We might tackle this as part of the design for static content in RCLs

Can you please tell how to manually launch HTTPS now or is it simply impossible? I went to launchSettings.json and change sslPort from 0 to another number, but accessing results in ERR_CONNECTION_RESET.

EDIT: I am having a client-side Blazor project.

Thanks.

If your client-side Blazor app is hosted in ASP.NET Core then you can just go into the project properties of the .Server project, select the Debug tab, and then check the "Enable SSL" checkbox:

Thanks it works. I wonder why. Does VS do something else beside setting sslPort in launchSettings.json because that's the only difference I see?

If your client-side Blazor app is hosted in ASP.NET Core

Side question: does that imply Blazor can actually be hosted somewhere/somehow else?

Does VS do something else beside setting sslPort in launchSettings.json because that's the only difference I see?

I believe VS also modifies the applicationhost.config file to setup IIS Express to support HTTPS.

Side question: does that imply Blazor can actually be hosted somewhere/somehow else?

Sure, client-side Blazor apps are really just a bunch of static files that can be hosted stand-alone using any static site hosting solution. You don't need .NET on the server at all. For example, you could host your app on GitHub pages or an Azure Static Site Hosting. @jeffhollan did a nice talk at the recent BUILD conference talk on the later.

@mkArtakMSFT @danroth27 Given the current priority for this item I marked it as help wanted. It should be easy I think to enable this on the templates:

This PR contains all the info needed I think, so its a matter of applying it to the hosted server-side template, and to the dev-server for client apps

https://github.com/aspnet/Templating/commit/aca30fe8a241d51be07fc941869288c59c66384a#diff-b5fa223ecb69cfdfc0b9caf4601c9358

@mkArtakMSFT @danroth27 Moving this out of preview8 into 3.1

@javiercn isn't this done already?

@mkArtakMSFT Nope, but this should be trivial. If @SteveSandersonMS was looking for cheap stuff, this is a candidate.

I agree this should be cheap, plus I think we'll get told it's mandatory when we go through Blazor WebAssembly security review.

This is done as part of my template changes.

https://github.com/dotnet/aspnetcore/pull/18354/files#diff-af0e0558e5db1f3ce748817f3b043165R258

https://github.com/dotnet/aspnetcore/pull/18354/files#diff-e275bbf3730f151429cdb4474ba6b0bfR75-R81