Skip to content
Create a gist now

Instantly share code, notes, and snippets.

RequireHttpsAttribute using X-Forwarded-Proto header
using System;
using System.Web.Mvc;
using RequireHttpsAttributeBase = System.Web.Mvc.RequireHttpsAttribute;
namespace AppHarbor.Web
{
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true,
AllowMultiple = false)]
public class RequireHttpsAttribute : RequireHttpsAttributeBase
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
if (filterContext.HttpContext.Request.IsSecureConnection)
{
return;
}
if (string.Equals(filterContext.HttpContext.Request.Headers["X-Forwarded-Proto"],
"https",
StringComparison.InvariantCultureIgnoreCase))
{
return;
}
if (filterContext.HttpContext.Request.IsLocal)
{
return;
}
HandleNonHttpsRequest(filterContext);
}
}
}
@ignaciofuentes

How about asp.net web api?
a custom RequireHttpsAttribute that also takes into consideration the "X-Forwarded-Proto" Header is also needed.
Correct?

@coachrob
coachrob commented Apr 2, 2013

Just what the doctor ordered! Thanks for sharing!

@HartleyOriginalJam

We have just had to come to this and had to do a FirstOrDefault() when checking the headers...

string.Equals(request.Headers["X-Forwarded-Proto"].FirstOrDefault(), "https", StringComparison.InvariantCultureIgnoreCase)

@geersch
geersch commented Nov 29, 2013

Here's a quick gist containing a similar version for requiring HTTPS on Web API calls for AppHarbor:

https://gist.github.com/geersch/7710361

@RobertVandenberg

I suggest using Uri.UriSchemeHttps instead of "https" directly.

http://msdn.microsoft.com/zh-tw/library/system.uri.urischemehttps(v=vs.110).aspx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.