I take advantage of GlobalFilters introduced in MVC 3. The default template for your Global.asax.cs file has a method called RegisterGlobalFilters. I’ve cloned this method as:
public static void RegisterProductionOnlyFilters( GlobalFilterCollection filters ) { filters.Add( new RequireHttpsAttribute() ); }
This method is then called in Application_Start() as follows:
var requestIsLocal = false; try { requestIsLocal = this.Context.Request.IsLocal; } // if the request isn't available, we catch the exception and know we're on prod/staging catch (NullReferenceException) { } if (!requestIsLocal) { RegisterProductionOnlyFilters( GlobalFilters.Filters ); }
Now the RequireHttpsAttribute is applied as a global filter, but only when not running on localhost. To complete security, we use Web.config transformations to add requireSSL=”true” to our auth and session cookies (all cookies created server-side, that is).
<system.web> <authentication mode="Forms"> <forms requireSSL="true" xdt:Transform="SetAttributes(requireSSL)" /> </authentication> <httpCookies requireSSL="true" xdt:Transform="InsertAfter(/configuration/system.web/authentication)" /> </system.web>
Voila, our actions and cookies are now protected, but only when running in our production and staging environments.