Tom, It is something you can turn on later but you have to develop with a mindset for your eventual usage scenario.
Develop locally without cert Frequently deploy to dev server that has cert Test in dev to make sure you don't introduce mixed secure/insecure content If the content can't be served directly from your secure site then consider alternative content that can If you must ensure secure connection then look at the http context object , I believe you can check secure connection state there If you're backing onto sql data store be mindful of sql injection attacks Always understand that, ultimately, your app might be deployed into an environment where the secure connection is terminated at a border device and the environment owners are comfortable with a http connection inside. Sorry about the formatting, I'm sending this from my mobile. -- noonie On 28/11/2014 3:41 pm, "Tom P" <tompbi...@gmail.com> wrote: > Hi Joseph > > Just the fact that I'm not really up to speed on how this SSL business all > works yet and didn't want to hold up development. I was curious to see if > it was something that could be simply turned on later but seems like that's > not the case. Sounds like I will be playing with SSL from the get-go as you > say. > > Thanks > Tom > > On 28 November 2014 at 13:34, Joseph Cooney <joseph.coo...@gmail.com> > wrote: > >> Rather than defer the change from HTTP to HTTPS to post development, what >> would the downside be to generating a self-signed certificate in IIS and >> using SSL from the get-go? >> >> Joseph >> >> On Fri, Nov 28, 2014 at 12:10 PM, Tom P <tompbi...@gmail.com> wrote: >> >>> Thank you Glav and Michael. Lots of info here. Will spend some time on >>> this to figure out what's going on, it's all over my head at the moment >>> >>> Thanks >>> Tom >>> >>> >>> On 28 November 2014 at 10:13, Paul Glavich <subscripti...@theglavs.com> >>> wrote: >>> >>>> External content can be tricky since you do not control whether its >>>> available via https so check on that. >>>> >>>> >>>> >>>> Additionally, don’t do something like <script src=” >>>> http://somewhere/jquery.js”> >>>> >>>> As when you go to SSL it will complain about loading insure content and >>>> fail. For the most part, using MVC and relative Url’s you should not have >>>> to worry about it. If you need to embed some externals, you can optionally >>>> use the “//” syntax which adopts the browsers scheme when loading them so >>>> >>>> >>>> >>>> <script src=”//somewhere/jquery.js”> >>>> >>>> Will equate to http://somewhere/jquery.js or >>>> https://somewhere/jquery.js depending on whether your site is using >>>> SSL or not. >>>> >>>> >>>> >>>> Also, if using forms auth, you can enforce your login to be SSL via >>>> >>>> <authentication mode="Forms"> >>>> >>>> <forms loginUrl="~/login" timeout="2880" *requireSSL**=**"true"* /> >>>> >>>> </authentication> >>>> >>>> >>>> >>>> >>>> >>>> You could leave this out in development config but include in release >>>> config. There is also the [RequireSSL] attribute as well. See >>>> http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC >>>> >>>> >>>> >>>> >>>> >>>> - Glav >>>> >>>> >>>> >>>> *From:* ozdotnet-boun...@ozdotnet.com [mailto: >>>> ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland >>>> *Sent:* Friday, 28 November 2014 8:49 AM >>>> *To:* ozDotNet >>>> *Subject:* Re: SSL for ASP.NET MVC >>>> >>>> >>>> >>>> Hi Tom >>>> >>>> >>>> >>>> It can be more complicated than that, take a look at this. >>>> >>>> >>>> >>>> http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Fri, Nov 28, 2014 at 8:40 AM, Tom P <tompbi...@gmail.com> wrote: >>>> >>>> Hi Noonie >>>> >>>> >>>> >>>> That sounds good. So it can be turned on later on if necessary. >>>> >>>> >>>> >>>> Is it necessary for me to "demand" SSL for LogIn type methods as those >>>> should definitely be secure in a live environment? It doesn't concern me >>>> while developing but it scares me to think the administrators may simply >>>> forget to turn on SSL and then LogIn details will float around not >>>> encrypted and the blame will find me somehow. >>>> >>>> >>>> >>>> >>>> >>>> Thanks >>>> >>>> Tom >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 27 November 2014 at 20:35, noonie <neale.n...@gmail.com> wrote: >>>> >>>> Tom, >>>> >>>> You can ignore all that stuff as it should have nothing to do with your >>>> web application. >>>> >>>> It's a "server thing" when running behind IIS etc. and all the magic >>>> happens lower down the stack. >>>> >>>> -- >>>> noonie >>>> >>>> On 27/11/2014 4:20 pm, "Tom P" <tompbi...@gmail.com> wrote: >>>> >>>> Noob question here. >>>> >>>> >>>> >>>> How would I go about adding SSL to a MVC site? Is it simply a matter of >>>> turning a switch on in the server somewhere and the admins can do it or do >>>> things need to be done in code? I am reading a whole variety of ways such >>>> as adding attributes, filters, configuration settings, cookie properties, >>>> certificates and so on. Seems complicated. I was under the impression I >>>> could do without it in development and have it simply "turned on" once it >>>> goes live. Is this not the case? >>>> >>>> >>>> >>>> >>>> >>>> Thanks >>>> >>>> Tom >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> >> -- >> >> w: http://jcooney.net >> t: @josephcooney >> > > >
