Secure Sockets Layer (SSL) is a protocol that provides communication security over the network. SSL is useful when you have sensitive information, such as login credentials or credit card information, transferred over the network.
If your site requires the use of SSL certificate, you must perform the following:
PREREQUISITES: Sitefinity CMS requires that you setup the http binding on port 80 and the https binding on port 443.
After you have setup and tested the certificate, you can configure any page – backend or frontend, to require the SSL certificate. We recommend that you require SSL on all frontend and backend login pages, where login credentials are transferred over the network.
Serving the entire website content under the https:// protocol is the most common scenario when configuring SSL for Sitefintiy CMS. It is not only the industry-recommended way to go in order to serve content more securely over the Internet, but can also be a required step if your website needs to pass HIPPA, PCI and other compliance checks. Sitefinity CMS enables you to enforce the entire website traffic to be under https:// from a central place - the RequireHttpsForAllRequests setting. To enable RequireHttpsForAllRequests follow these steps:
As a result the entire website (both frontend and backend) is served under https://. Even if somebody request a resource under http:// explicitly, it will be redirected internally and served under https://.
IMPORTANT: Enforcing SSL for the entire website via the RequireHttpsForAllRequests setting guarantees that any resource form the site is served under https://. Once this setting is enabled, you don't need to configure anything in addition, as the RequireHttpsForAllRequests is the central mechanism for enforcing SSL and overrides all other settings. If, however you want to serve only specific areas of your website under https:// while the rest remains under http:// you need to disable RequireHttpsForAllRequests and follow the instructions in the following paragraphs that describe enforcing partial SSL scenarios.
If your requirement is to have just the backend login page served under https://, while the rest of the site remains under http://, Sitefintiy CMS enables you to specify that level of granularity. For this scenario, you must enable SSL only for the Authentication module via the Require Https setting. To achieve this, perform the following steps:
NOTE: The Require Https property enforces only the backend login page to be served under https://.
Some scenarios may require you to configure only selected pages to be served under the https:// protocol, while the rest to continue to be served under the http:// protocol.
Every page created in Sitefintiy CMS can be configured to be served explicitly under https:// protocol. This behavior is controlled by the Require SSL property available in the page Advanced options. It is disabled by default. To enable it, perform the following steps:
In the scenario where you configure only certain frontend pages to Require SSL ,and you have some frontend pages that will be served under http:// protocol only, you need to configure Sitefinity CMS to allow for the transition between the two protocols. To enable frontend pages, that have not been explicitly configured to Require SSL, to be served under http:// only, perform the followign steps:
In case you want to enable SSL for the wbesite frontend only, and keep the rest of the site served under http://, you must set the Require SSL property to true for all frontend pages. To automate the task you can execute the following code:
Additionally you must disable the Remove ssl when the page does not require it setting, to ensure that Sitefinity CMS will not allow serving pages under http://, when they have not been explicitly configured to Require SSL. This way you can enforce https:// protocol for the whole site frontend. For example, if Remove ssl when the page does not require it setting is disabled, even if someone adds a new page and forgets to enable RequireSSL, as long as users are navigating to that new page from an https:// page, the new page will get served under https://. To configure this behavior, perform the following:
NOTE: The key above is an example. You must add the same key that is used in the other security token issuers.
IMPORTANT: Do not remove the existing issuer binding to http://localhost
NOTE: You might need to change the Relying Parties configuration, especially when you have Load Balancing configured, so that users avoid getting a Redirect Loop when they try to login to the backend. For more information, see Configure Security.
NOTE: To secure the backend login page you must follow the instruction for configuring the backend login page to require SSL, provided earlier in this artcile.
Back To Top
Copyright © 2019 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.