Re: SSL for ASP.NET MVC
Tom, It is something you can turn on later but you have to develop with a mindset for your eventual usage scenario. Develop locally without cert Frequently deploy to dev server that has cert Test in dev to make sure you don't introduce mixed secure/insecure content If the content can't be served directly from your secure site then consider alternative content that can If you must ensure secure connection then look at the http context object , I believe you can check secure connection state there If you're backing onto sql data store be mindful of sql injection attacks Always understand that, ultimately, your app might be deployed into an environment where the secure connection is terminated at a border device and the environment owners are comfortable with a http connection inside. Sorry about the formatting, I'm sending this from my mobile. -- noonie On 28/11/2014 3:41 pm, "Tom P" wrote: > Hi Joseph > > Just the fact that I'm not really up to speed on how this SSL business all > works yet and didn't want to hold up development. I was curious to see if > it was something that could be simply turned on later but seems like that's > not the case. Sounds like I will be playing with SSL from the get-go as you > say. > > Thanks > Tom > > On 28 November 2014 at 13:34, Joseph Cooney > wrote: > >> Rather than defer the change from HTTP to HTTPS to post development, what >> would the downside be to generating a self-signed certificate in IIS and >> using SSL from the get-go? >> >> Joseph >> >> On Fri, Nov 28, 2014 at 12:10 PM, Tom P wrote: >> >>> Thank you Glav and Michael. Lots of info here. Will spend some time on >>> this to figure out what's going on, it's all over my head at the moment >>> >>> Thanks >>> Tom >>> >>> >>> On 28 November 2014 at 10:13, Paul Glavich >>> wrote: >>> External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like
Re: SSL for ASP.NET MVC
Hi Joseph Just the fact that I'm not really up to speed on how this SSL business all works yet and didn't want to hold up development. I was curious to see if it was something that could be simply turned on later but seems like that's not the case. Sounds like I will be playing with SSL from the get-go as you say. Thanks Tom On 28 November 2014 at 13:34, Joseph Cooney wrote: > Rather than defer the change from HTTP to HTTPS to post development, what > would the downside be to generating a self-signed certificate in IIS and > using SSL from the get-go? > > Joseph > > On Fri, Nov 28, 2014 at 12:10 PM, Tom P wrote: > >> Thank you Glav and Michael. Lots of info here. Will spend some time on >> this to figure out what's going on, it's all over my head at the moment >> >> Thanks >> Tom >> >> >> On 28 November 2014 at 10:13, Paul Glavich >> wrote: >> >>> External content can be tricky since you do not control whether its >>> available via https so check on that. >>> >>> >>> >>> Additionally, don’t do something like
Re: SSL for ASP.NET MVC
Rather than defer the change from HTTP to HTTPS to post development, what would the downside be to generating a self-signed certificate in IIS and using SSL from the get-go? Joseph On Fri, Nov 28, 2014 at 12:10 PM, Tom P wrote: > Thank you Glav and Michael. Lots of info here. Will spend some time on > this to figure out what's going on, it's all over my head at the moment > > Thanks > Tom > > > On 28 November 2014 at 10:13, Paul Glavich > wrote: > >> External content can be tricky since you do not control whether its >> available via https so check on that. >> >> >> >> Additionally, don’t do something like
Re: SSL for ASP.NET MVC
Thank you Glav and Michael. Lots of info here. Will spend some time on this to figure out what's going on, it's all over my head at the moment Thanks Tom On 28 November 2014 at 10:13, Paul Glavich wrote: > External content can be tricky since you do not control whether its > available via https so check on that. > > > > Additionally, don’t do something like
RE: SSL for ASP.NET MVC
External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like
Re: SSL for ASP.NET MVC
Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P wrote: > Hi Noonie > > That sounds good. So it can be turned on later on if necessary. > > Is it necessary for me to "demand" SSL for LogIn type methods as those > should definitely be secure in a live environment? It doesn't concern me > while developing but it scares me to think the administrators may simply > forget to turn on SSL and then LogIn details will float around not > encrypted and the blame will find me somehow. > > > Thanks > Tom > > > > On 27 November 2014 at 20:35, noonie wrote: > >> Tom, >> >> You can ignore all that stuff as it should have nothing to do with your >> web application. >> >> It's a "server thing" when running behind IIS etc. and all the magic >> happens lower down the stack. >> >> -- >> noonie >> On 27/11/2014 4:20 pm, "Tom P" wrote: >> >>> Noob question here. >>> >>> How would I go about adding SSL to a MVC site? Is it simply a matter of >>> turning a switch on in the server somewhere and the admins can do it or do >>> things need to be done in code? I am reading a whole variety of ways such >>> as adding attributes, filters, configuration settings, cookie properties, >>> certificates and so on. Seems complicated. I was under the impression I >>> could do without it in development and have it simply "turned on" once it >>> goes live. Is this not the case? >>> >>> >>> Thanks >>> Tom >>> >> >
Re: SSL for ASP.NET MVC
Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to "demand" SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie wrote: > Tom, > > You can ignore all that stuff as it should have nothing to do with your > web application. > > It's a "server thing" when running behind IIS etc. and all the magic > happens lower down the stack. > > -- > noonie > On 27/11/2014 4:20 pm, "Tom P" wrote: > >> Noob question here. >> >> How would I go about adding SSL to a MVC site? Is it simply a matter of >> turning a switch on in the server somewhere and the admins can do it or do >> things need to be done in code? I am reading a whole variety of ways such >> as adding attributes, filters, configuration settings, cookie properties, >> certificates and so on. Seems complicated. I was under the impression I >> could do without it in development and have it simply "turned on" once it >> goes live. Is this not the case? >> >> >> Thanks >> Tom >> >
Re: SSL for ASP.NET MVC
Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a "server thing" when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, "Tom P" wrote: > Noob question here. > > How would I go about adding SSL to a MVC site? Is it simply a matter of > turning a switch on in the server somewhere and the admins can do it or do > things need to be done in code? I am reading a whole variety of ways such > as adding attributes, filters, configuration settings, cookie properties, > certificates and so on. Seems complicated. I was under the impression I > could do without it in development and have it simply "turned on" once it > goes live. Is this not the case? > > > Thanks > Tom >
SSL for ASP.NET MVC
Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply "turned on" once it goes live. Is this not the case? Thanks Tom