ASP.NET MVC RequireHttps in Production Only

Question

I want to use the RequireHttpsAttribute to prevent unsecured HTTP requests from being sent to an action method.

C#

[RequireHttps] //apply to all acti         


        

Answer 1

For MVC 3 I added my own FilterProvider (based on code found here: Global and Conditional Filters that, among other things (displaying Debug info for local users etc.) will decorate all actions with RequireHttpsAttribute when HttpContext.Request.IsLocal == false.

Answer 2

As Joel mentioned you can alter the compilation by using the #if !DEBUG directive.

I just found out that you can alter the value of the DEBUG symbol in the web.config file compilation element. Hope that helps.

Answer 3

Deriving from RequireHttps is a good approach.

To side step the issue entirely, you can use IIS on your local machine with a self-signed certificate too. IIS is faster than the built-in webserver, and you have the advantage that your development environment is more like production.

Scott Hanselman has a great resource on a few ways to implement local HTTPS with VS2010 and IIS Express.