• Published
  • 1 min

Require HTTPS on only some pages

<p>One of our customers needed to require HTTPS/SSL on some of their pages that contained sensitive data.</p>

Why not just use HTTPS for the entire site, you might ask?

The reason for this is that they use Google Maps and the Google Maps Premium Subscription was not an option due to the high cost for this service.

To solve this I wrote a HttpModule that directs webtraffic to the right protocol.

Usage

Configure IIS to reply on both HTTP (port 80) and HTTPS (port 443) and add this to Web.config httpModules:

<add name="PageSecurityEnabler" type="Epinova.PageSecurityEnabler.PageSecurityEnablerHttpModule, Epinova.PageSecurityEnabler"/>

Configuration

You can configure what pages that should be redirected in the config-element "HttpsRequiredPages". The options are: "id1|id2|id3|id4", "All" or "None"

<configuration>
    <configSections>
        <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
            <section name="Epinova.PageSecurityEnabler.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
        </sectionGroup>
    </configSections>
    <applicationSettings>
        <Epinova.PageSecurityEnabler.Properties.Settings>
            <setting name="HttpsRequiredPages" serializeAs="String">
                <value>None</value>
            </setting>
            <setting name="ExcludeFolders" serializeAs="String">
                <value>edit|admin</value>
            </setting>
        </Epinova.PageSecurityEnabler.Properties.Settings>
    </applicationSettings>
</configuration>

Download

Epinova.PageSecurityEnabler

Notes

You might want to create a self signed SSL certificate for testing. This is easy in IIS 7, but in IIS 6 you might want to read this: http://pranas.net/2008/12/creating-a-self-signed-ssl-certificate-without-a-mess-of-makecert-exe-using-ssl-diagnostics-tool/#BestSolution