In this tutorial, you will learn how to add a redirect rule that will ensure your Episerver CMS-powered website always uses HTTPS. When building any Episerver project, security should be one of your big concerns. If your project has to deal with sensitive data, like your website visitors filling in a form with credit cards details, you will need to implement an SSL certificate to ensure no data hijacking can occur. Google will also bonus your website with SEO points if you use HTTPS, as you can read from here. In this tutorial, you will learn about two approaches to force HTTPs only connections.

The first option I will cover is adding a redirect rule within the web.config. This approach is the easiest, however, it will require the IIS URLRewrite module to be installed on your web server. Without this module being installed on all of your web servers, the redirect will not work 😞. In the config approach, you add a routing rule that will force every page to use HTTPS. This approach is an all or nothing technique (which is good). Content editors will not be able to decide which page they want to make HTTPS. The second option will be done on a page-level within the CMS. Content editors will be able to pick which pages will be HTTPS inside of Episerver. Performance-wise, doing a redirect on a page level within the CMS is not as efficient as a routing rule, however, it gives content editors more power.

Both approaches will assume you have an SSL certificate installed on all of your web servers. I will not cover how to do that here as it's a more generic IIS task compared to Episerver specific knowledge. If you do not know how to install an SSL certification, Google is your friend 😉. With that said, if you want to know the most appropriate way for you to implement HTTP on your project, read on 🔥🔥🔥

Web.config Approach (Global)

To make the routing rule, make sure you have the URLRewrite module installed on all of your web servers. I have forgotten to do this a few times and forgetting will simply waste a few hours of your time wondering why things are not working. You can tell when you forget to install the URL rewrite module as you will encounter a 500.19 - Internal Server Error exception when you try to view a page.

To add this routing rule, within your web.config file, add this config (stolen from here)

With this rule installed, IIS will redirect/append any HTTP requests to use HTTPS automatically. Job done 💥

TIP: The rule above is for non-load balanced environments. If you are running your environment over a load balancer, you need to use a rule that works with {HTTP_X\FORWARDED\PROTO}

Episerver Way (Base Controller)

In the second approach, we add the redirect logic within the CMS. For this to work, I'm assuming you have a normal MVC Episerver set-up. The code to force the re-direct will need to be added in a base controller that all your page controllers inherit from:

In the base page controller, override OnActionExecuting. OnActionExecuting is the event that gets called in the MVC pipeline before an action method is invoked. If we override this, it means we can make sure no actions are ever invoked unless they fulfil our HTTPS rule requirements. To set which pages should enforce an HTTPS or not policy, I recommend you define an interface that you can decorate onto any page type that you want to make HTTPS. The interface will force all the page types to implement a Required HTTPs property and could look like this:

The next step is to add a check on the base controller to redirect a request if Required HTTPs is enabled and the current request is a HTTP request:

In the code, check if the RequiredHttps boolean is set. If RequiredHttps is set you need to check if the current request is HTTP or HTTPS. You can do this by getting the request data out of the Session key-value pair. If the content editor has set the required HTTPS flag, you can call IsRequestSecure() to make sure the request is an HTTPS request. If the request is not HTTPS you can do a RedirectResult to force the request to use HTTPS. Job done 💥


You now know two ways to force HTTPS on your site. One that works directly in the web.config using generic IIS configuration and one that is Episerver specific. Which rule you use will depend on how much control you want to give your content editors. I personally only tend to use option 1 on my project. I have used option 2 once when we had a very specific requirement. As always do what makes you happy 😊 Happy Coding 🤘