Platform Administration and Architecture

Enable HTTPS for core roles

Applies to

All core roles

Sitecore Installation Framework

HTTPS is not enabled by default.

Azure Toolkit

HTTPS is enabled by default for the Content Management role only.

Using HTTP does not protect data from interception or alteration; therefore, it is best practice to use HTTPS for both your content management and content delivery environments.

Important

Sitecore does not include configured HTTPS bindings out of the box.

To enable HTTPS on your Sitecore environments:

  1. Ensure you have X.509 certificates from a Certificate Authority.

  2. Create the associated bindings on your Sitecore IIS instances.

  3. To ensure that all traffic is served over SSL/TLS, open the Sitecore web.config file and edit the <system.web> section to include these attributes:

    <system.web>
        <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>
    

This configuration:

  • Ensures that cookies are secure across your site.

  • Ensures that a client-side script cannot read the cookies.

  • Prevents any additional configuration from overriding these settings.

For more information about configuring HTTPS bindings to an IIS website, visit: