Hi,
I have recently moved my entire site over to HTTPS. I use rewriting in the Global.asax file to do this, inside the Application_BeginRequest block. The code basically checks if the request is http and if it is then it does a redirect, adding 301 headers:
if (!HttpContext.Current.Request.IsSecureConnection)
{
HttpContext.Current.Response.Clear();
HttpContext.Current.Response.Buffer = true;
HttpContext.Current.Response.Status = "301 Moved Permanently";
HttpContext.Current.Response.AddHeader("Location", GetWebsiteUrl() + r.Path);
HttpContext.Current.Response.End();
}
...so this all works great. However, now I need to get HSTS working. To do this I have added the following lines of code, which only applies to the response once it has been 301'd or is already on https:
if (HttpContext.Current.Request.Url.Scheme == "https")
HttpContext.Current.Response.AddHeader("Strict-Transport-Security", "max-age=31536000");
...so this also seems to work fine. BUT the problem is that now every time someone requests the http: version of a page the browser sends them straight to the https: version with a 307 internal redirect which means the 301 is not being applied anymore... Which I think is a problem?
Can anyone explain if I am doing something wrong here or am missing something?
Thanks in advance,
Chris
