Secure API with HTTPS in .NET Core

🔒 To build a secure API in .NET Core

Implementing HTTPS is not just a feature but a fundamental requirement. HTTPS ensures that all data exchanged between the client and server is encrypted, protecting against man-in-the-middle (MitM) attacks and data tampering. While .NET Core makes enabling HTTPS straightforward, a truly secure API design goes beyond a simple toggle switch.

🛠️ How to implement HTTPS in .NET Core

Modern .NET Core templates automatically enable HTTPS for development, but for production, you need to configure it explicitly.

1️⃣ Configure for development

When you create a new ASP.NET Core project, the launchSettings.json file is configured with both HTTP and HTTPS URLs for Kestrel, the default web server.

launchSettings.json:

"profiles": {
  "https": {
    "commandName": "Project",
    "launchBrowser": true,
    "launchUrl": "swagger",
    "applicationUrl": "https://localhost:7175;http://localhost:5199",
    "environmentVariables": {
      "ASPNETCORE_ENVIRONMENT": "Development"
    }
  }
}
    

🔐 Trust the development certificate:

For browsers and tools to trust the self-signed certificate, run the following command in your terminal.

dotnet dev-certs https --trust
    

2️⃣ Enforce HTTPS redirection

In production, your server should not accept insecure HTTP requests. The UseHttpsRedirection() middleware handles this by automatically redirecting HTTP requests to HTTPS.

Program.cs:

var builder = WebApplication.CreateBuilder(args);
// ...

var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts(); // Recommended for production
}

// Redirects HTTP requests to HTTPS
app.UseHttpsRedirection();

// ...
app.Run();
    

3️⃣ Enable HTTP Strict Transport Security (HSTS)

HSTS is a security enhancement that instructs browsers to always connect to your domain over HTTPS, even if a user explicitly types "http://".

Program.cs:

if (!app.Environment.IsDevelopment())
{
    app.UseHsts(); // Adds the "Strict-Transport-Security" header
}
    

✅ Advantages of using HTTPS

• 🔐 Data confidentiality: Encrypts all data in transit, protecting sensitive information like credentials and personal data from being intercepted.
• 🆔 Authentication: The server's SSL/TLS certificate proves its identity, protecting clients from impersonation attacks (man-in-the-middle).
• 🧮 Data integrity: Guarantees that data sent between the client and server has not been tampered with.
• 📈 Improved SEO: Search engines like Google give a ranking boost to websites and APIs that use HTTPS.
• 🔏 Increased trust: The padlock icon in a browser's address bar signals to users that their connection is secure.

⚠️ Disadvantages of HTTPS

• 🐢 Performance overhead: The encryption and decryption process adds a small amount of latency. However, modern hardware and optimized protocols like HTTP/2 have made this impact negligible for most applications.
• 📋 Certificate management: Requires obtaining and renewing SSL/TLS certificates. While free options like Let's Encrypt are available, management overhead exists, especially with multiple services.
• 🧩 Initial complexity: Setting up HTTPS in a production environment with custom servers or cloud platforms requires careful configuration.

💡 Best practices and tips

• 🛡️ Use HSTS in production: Enable HSTS in your production environment to protect against protocol downgrade attacks.
• 🔐 Centralize certificate management: Use a cloud service like Azure Key Vault or AWS Certificate Manager for a more secure and automated approach to managing certificates.
• 🚫 Implement HTTPS-only listeners: On public-facing servers, avoid listening for HTTP traffic entirely. Configure your server (e.g., Kestrel, IIS) to only listen on the HTTPS port (443). For API clients, this is more robust than redirection, which is primarily a browser-centric feature.
• 🧱 Use strong TLS versions: Ensure your server is configured to use modern TLS versions (TLS 1.2 or higher) and disable insecure cipher suites.
• 🔁 Deploy behind a reverse proxy: In many production setups, a reverse proxy (like Nginx, a cloud load balancer, or Azure Application Gateway) handles SSL termination. Your .NET Core application should be configured to trust forwarded headers from this proxy to correctly identify HTTPS traffic.
• 🧼 Validate input: Encryption secures data in transit but doesn't protect against malicious input. Always validate and sanitize all user input to prevent injection attacks (e.g., SQL injection, XSS).
• 🔑 Authentication and authorization: HTTPS is transport-level security. Combine it with strong authentication (e.g., JWT) and authorization to ensure only legitimate, authorized users can access your API endpoints.

🚨 Precautions

• 🚫 Avoid hard-coding certificates: Never hard-code certificate passwords or paths into your configuration files. Use a secure secrets management solution.
• 🔄 Do not rely on redirection for APIs: While UseHttpsRedirection() is fine for browser-based clients, many API clients may not correctly handle the 307 redirect status code. Configure your API to refuse non-HTTPS connections or only listen on port 443.
• ⚠️ Be aware of mixed content: If your API is called from a webpage, ensure that all assets on that page (images, scripts, CSS) are also loaded via HTTPS. Mixed content can trigger browser warnings and undermine security.
• ⏳ Rotate certificates before expiration: Put processes in place to automatically renew or rotate your certificates well before they expire. Let's Encrypt offers a free, automated way to do this.