Colin Bacon, web developer.

Getting an SSL cert is just the first step on the road to HTTPS

Getting an SSL cert is just the first step on the road to HTTPS

When I considered moving this blog to HTTPS all I thought about was getting an SSL certificate. Actually the certificate is only the first step, there is plenty more to do.

I set up my SSL certificate on Azure using Let's Encrpyt, which was not a trivial task in itself and I did have problems. Once I had set it up I high-fived myself and thought, that's all the hard work done. So what does it actually involve? Depending on the size and complexity it can mean quite a lot. Here is what I had to do.

1. Enable SSL on project

To enable SSL on an ASP.NET MVC project follow these steps:

Select the web project and press F4 to bring up the properties window.

Project properties

Set SSL Enabled to True

SSL enabled property set to true

Below this property you will see the HTTP and HTTPS URLs for the project.

2. Ensure routing uses HTTPS

Once I got the default page loading with HTTPS, clicking around I uncovered my next problem. Links to pages within the site were still HTTP. I had a URL helper class for all my links that was explicitly setting the protocol to HTTP. A quick update to this class and now all site links were working.

2. Enforce redirects to HTTPS

Arriving to the site via HTTPS and browsing the site was all working but a user could still browse via HTTP, e.g from an old link. Any visitor that arrives over HTTP needs to be redirected to HTTPS. To do this I used a FilterAttribute taken from Rehan Saeed's ASP.NET MVC Boilerplate. Now the site is HTTPS only.

3. CDN images

This was more painful than I thought it would be. I store images in Azure blob storage and then have an Azure CDN in front of it. The custom URL is http://images.iambacon.co.uk/blog. However using the SSL certificate for iambacon.co.uk with Azure CDN is currently unsupported, although they are apparently working on it. Azure does provide a default HTTP and HTTPS endpoint (e.g. https://az720974.vo.msecnd.net/) so I have had to update my images to use this for now.

4. Update posts with new image URL

All content with images needed updating with the new URL. Images served by HTTP will still show, but if you look in the browser dev tools console you will see warnings for mixed content. Changing the URL for all images was done using a SQL script to update the data in the database.

Summary

These are all the steps I needed to take after setting up an SSL certificate to get my blog SSL ready. Hopefully you can see there are quite a few things to think about when moving to HTTPS. Whilst the steps were fairly straight forward, the exception being Azure CDN, the complexity will only increase with the size of the project. When you do consider moving a site to HTTPS remember it is more than just a certificate.

Padlock icon made by Freepik from www.flaticon.com is licensed by CC 3.0 BY