Use HTTPS on all your Sitecore instances

Current version: 8.1

Using HTTP does not protect data from interception or alteration; therefore, it is best practice to use HTTPS for both your content management and content delivery environments. Sitecore does not include configured HTTPS bindings out of the box.

To enable HTTPS on your Sitecore environments:

  1. Ensure you have X.509 certificates from a Certificate Authority.

  2. Create the associated bindings on your Sitecore IIS instances.

  3. To ensure that all traffic is served over SSL/TLS, open the Sitecore web.config file and edit the <system.web> section to include these attributes:

    RequestResponse
    <system.web>
        <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

This configuration:

  • Ensures that cookies are secure across your site.

  • Ensures that a client-side script cannot read the cookies.

  • Prevents any additional configuration from overriding these settings.

For more information about configuring HTTPS bindings to an IIS website, visit:

Do you have some feedback for us?

If you have suggestions for improving this article,