Rather than defer the change from HTTP to HTTPS to post development, what would the downside be to generating a self-signed certificate in IIS and using SSL from the get-go?
Joseph On Fri, Nov 28, 2014 at 12:10 PM, Tom P <tompbi...@gmail.com> wrote: > Thank you Glav and Michael. Lots of info here. Will spend some time on > this to figure out what's going on, it's all over my head at the moment > > Thanks > Tom > > > On 28 November 2014 at 10:13, Paul Glavich <subscripti...@theglavs.com> > wrote: > >> External content can be tricky since you do not control whether its >> available via https so check on that. >> >> >> >> Additionally, don’t do something like <script src=” >> http://somewhere/jquery.js”> >> >> As when you go to SSL it will complain about loading insure content and >> fail. For the most part, using MVC and relative Url’s you should not have >> to worry about it. If you need to embed some externals, you can optionally >> use the “//” syntax which adopts the browsers scheme when loading them so >> >> >> >> <script src=”//somewhere/jquery.js”> >> >> Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js >> depending on whether your site is using SSL or not. >> >> >> >> Also, if using forms auth, you can enforce your login to be SSL via >> >> <authentication mode="Forms"> >> >> <forms loginUrl="~/login" timeout="2880" *requireSSL**=**"true"* /> >> >> </authentication> >> >> >> >> >> >> You could leave this out in development config but include in release >> config. There is also the [RequireSSL] attribute as well. See >> http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC >> >> >> >> >> >> - Glav >> >> >> >> *From:* ozdotnet-boun...@ozdotnet.com [mailto: >> ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland >> *Sent:* Friday, 28 November 2014 8:49 AM >> *To:* ozDotNet >> *Subject:* Re: SSL for ASP.NET MVC >> >> >> >> Hi Tom >> >> >> >> It can be more complicated than that, take a look at this. >> >> >> >> http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ >> >> >> >> >> >> >> >> >> >> >> >> On Fri, Nov 28, 2014 at 8:40 AM, Tom P <tompbi...@gmail.com> wrote: >> >> Hi Noonie >> >> >> >> That sounds good. So it can be turned on later on if necessary. >> >> >> >> Is it necessary for me to "demand" SSL for LogIn type methods as those >> should definitely be secure in a live environment? It doesn't concern me >> while developing but it scares me to think the administrators may simply >> forget to turn on SSL and then LogIn details will float around not >> encrypted and the blame will find me somehow. >> >> >> >> >> >> Thanks >> >> Tom >> >> >> >> >> >> >> >> On 27 November 2014 at 20:35, noonie <neale.n...@gmail.com> wrote: >> >> Tom, >> >> You can ignore all that stuff as it should have nothing to do with your >> web application. >> >> It's a "server thing" when running behind IIS etc. and all the magic >> happens lower down the stack. >> >> -- >> noonie >> >> On 27/11/2014 4:20 pm, "Tom P" <tompbi...@gmail.com> wrote: >> >> Noob question here. >> >> >> >> How would I go about adding SSL to a MVC site? Is it simply a matter of >> turning a switch on in the server somewhere and the admins can do it or do >> things need to be done in code? I am reading a whole variety of ways such >> as adding attributes, filters, configuration settings, cookie properties, >> certificates and so on. Seems complicated. I was under the impression I >> could do without it in development and have it simply "turned on" once it >> goes live. Is this not the case? >> >> >> >> >> >> Thanks >> >> Tom >> >> >> >> >> > > -- w: http://jcooney.net t: @josephcooney
