HowTo: Enforce HTTPS through URL Rewrite

It is advised to access Silver Essence through using HTTPS (to enforce SSL communication) instead of HTTP. We do support HTTP so it's easier to set up a test- or local environment, but for real production environments we strongly recommend the use of HTTPS. Here's how you can enforce HTTPS on a webserver that also supports HTTP.

Using HTTP and HTTPS

When the visitor types in the address for your Essence Portal without specifying HTTP or HTTPS, the browser will switch to one of these depending on the browser of the user. If you want to switch to HTTPS the best way to do this is by using so called webhops in your DNS records. Check with your DNS provider if they support this and (let them) make the adjustments for you. That way the switch to HTTPS is already done before the visitor gets to your webserver and you can disable HTTP completly.

Since a lot of DNS providers don't offer the option to use webhops, you will need to enable both HTTP and HTTPS on your webserver. And then, when the visitor gets to your webserver, make the switch there. 

Enforce HTTPS using the web.config

To enforce HTTPS when the user uses HTTP, you can specify a URL Rewrite Rule in your Internet Information Server Manager. This will add the following child node to the System.Webserver node in your web.config. So the easiest way to do this, is to copy the following in your web.config somewhere underneath <system.webserver> as a child node.

<rewrite>
  <rules>
    <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
    </rule>
  </rules>
</rewrite>

Check after updates

If you update your Silver Essence Framework, it will never overwrite your web.config. We simply don't because in some cases you need add specific lines, for example to make use of the Exact Synergy Enterprise webservices. Still we recommend to keep a copy of your working web.config anyway so you always have a backup.

If you use the URL Rewrite in a web.config from another application, the web.config might be overwritten during an update. So please check after the update if this is the case. And if so, add the configuration nodes you added yourself from your backup.

Website versus Application

You might enforce HTTPS using the URL Rewrite from the web.config of your website, usually located in C:\Inetpub\wwwroot. This will take care of HTTPS of all your applications underneath that website. This is the safest way.

You can also enforce HTTPS through the web.config of your (Essence) application. That way the website can still use HTTP. Or you can set up 2 Essence Applications, with for example one (production) using HTTPS and another (test) using HTTP.

HTTPS is always recommended

Even if you have a website that does not serve sensitive data, the use of HTTPS is still recommended. Not only because it is more trustworthy for your visitors, but it also improves your rating in the Google Search Ranking. So if you have the possibility to use HTTPS, use it whenever and wherever you can.