External content can be tricky since you do not control whether its available via https so check on that.
Additionally, don’t do something like <script src=”http://somewhere/jquery.js”> As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so <script src=”//somewhere/jquery.js”> Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via <authentication mode="Forms"> <forms loginUrl="~/login" timeout="2880" requireSSL="true" /> </authentication> You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC - Glav From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Michael Ridland Sent: Friday, 28 November 2014 8:49 AM To: ozDotNet Subject: Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P <tompbi...@gmail.com <mailto:tompbi...@gmail.com> > wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to "demand" SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie <neale.n...@gmail.com <mailto:neale.n...@gmail.com> > wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a "server thing" when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, "Tom P" <tompbi...@gmail.com <mailto:tompbi...@gmail.com> > wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply "turned on" once it goes live. Is this not the case? Thanks Tom
