Enforce HTTPS for Core roles
Applies to |
All Core roles |
Sitecore Installation Framework |
HTTPS is not enforced by default. |
Azure Toolkit |
HTTPS is enforced by default for the Content Management role only. |
Using HTTP does not protect data from interception or alteration. Therefore, it is best practice to use HTTPS for both your content management and content delivery environments.
Sitecore does not include configured HTTPS bindings out of the box.
To enforce HTTPS on your Sitecore environments:
-
Ensure you have X.509 certificates from a Certificate Authority.
-
In the Internet Information Services (IIS) Manager, right click on the Core role site and click Edit bindings to open the Site Bindings window.
-
Click Add to open the Add Site Binding window.
-
Click https as the binding type.
-
Enter the domain and top level domain of the website in the Host name field. For example,
sitecore.com
. -
Choose a X.509 certificate from the SSL certificate menu.
-
Click OK to close the Add Site Binding window and click Close to close the Site Bindings window.
-
To ensure that all traffic is served over SSL/TLS, open the Sitecore
web.config
file and edit the<system.web>
section to include these attributes:RequestResponse<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" /> </system.web>
-
To specify a
protocol+domain+port
part of URLs only in theAllowedCorsOrigins
section, use the{AllowedCorsOrigin}
token in theConfig\Sitecore.IdentityServer.Host.xml
:RequestResponse<?xml version="1.0" encoding="utf-8"?> <Settings> <Sitecore> <IdentityServer> <Clients> <DefaultClient> ... <AllowedCorsOrigins> <AllowedCorsOriginsGroup1>https://host1|http://host1</AllowedCorsOriginsGroup1> <AllowedCorsOriginsGroup2>https://host2</AllowedCorsOriginsGroup2> <AllowedCorsOriginsGroup3>https://host3</AllowedCorsOriginsGroup3> </AllowedCorsOrigins> ...
Sitecore expands the
RedirectUri*
and thePostLogoutRedirectUri*
node values with{AllowedCorsOrigin}
tokens to be allowed for every origin specified in theAllowedCorsOrigins
list.
This configuration:
-
Ensures that cookies are secure across your site.
-
Ensures that a client-side script cannot read the cookies.
-
Prevents any additional configuration from overriding these settings.
For more information about configuring HTTPS bindings to an IIS website, visit: