I have a self hosted WEB API project that needs to run over HTTPS only.
I found several articles how to do that (get SSL certificate, bind the certificate to the IP/Port using 'netsh' command, change base address to HTTPS://..., etc).
All looks good so far and I can call the service over HTTPS.
But I also need to explicitly reject all HTTP calls. When I try to call the service using HTTP I am getting '504 Timeout" error. And it takes a while to get a response from the service, it's possible to get Denial of Service.
I tried to apply a custom attribute that will check if the request comes over HTTPS but that code is never reached.
What do i need to do in order to reject HTTP calls. Again it's a self host WEB API project.
I am not hosting WEB API in IIS. It's a self hosted WEB API. Here's the code how I initialize it:
public class HttpsSelfHostConfiguration : HttpSelfHostConfiguration{ public HttpsSelfHostConfiguration(string baseAddress) : base(baseAddress) { } public HttpsSelfHostConfiguration(Uri baseAddress) : base(baseAddress) { } protected override BindingParameterCollection OnConfigureBinding(HttpBinding httpBinding) { if (BaseAddress.ToString().ToLower().Contains("https://")) { httpBinding.Security.Mode = HttpBindingSecurityMode.Transport; } return base.OnConfigureBinding(httpBinding); }}var url = "https://localhost:7080/";var config = new HttpsSelfHostConfiguration(url);config.Routes.MapHttpRoute("WebAPIRoute2", "api/{controller}/{action}/{id}", new { controller = "Submissions", id = RouteParameter.Optional });var server = new HttpSelfHostServer(config);server.OpenAsync().Wait();I also used the following commands to bind a SSL certificate to port 7080:
netsh http add urlacl url=https://+:7080/ user=Everyonenetsh http add sslcert ipport=0.0.0.0:7080 certhash=Thumbprint appid={xxxx}