Enforce HTTPS for Core roles

Version: 9.3

Applies to

All Core roles

Sitecore Installation Framework

HTTPS is enforced by default for all roles except Content Delivery.

Azure Toolkit

HTTPS is enforced by default for the Content Management role only.

Using HTTP does not protect data from interception or alteration. Therefore, it is best practice to use HTTPS for both your content management and content delivery environments.

Important

Sitecore does not include configured HTTPS bindings out of the box.

To enforce HTTPS on your Sitecore environments:

  1. Ensure you have X.509 certificates from a Certificate Authority.

  2. In the Internet Information Services (IIS) Manager, right click on the Core role site and click Edit bindings to open the Site Bindings window.

  3. Click Add to open the Add Site Binding window.

  4. Click https as the binding type.

  5. Enter the domain and top level domain of the website in the Host name field. For example, sitecore.com.

  6. Choose a X.509 certificate from the SSL certificate menu.

  7. Click OK to close the Add Site Binding window and click Close to close the Site Bindings window.

  8. To ensure that all traffic is served over SSL/TLS, open the Sitecore web.config file and edit the <system.web> section to include these attributes:

    RequestResponse
    <system.web>
        <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>
    
  9. To  specify a protocol+domain+port part of URLs only in the AllowedCorsOrigins section, use the {AllowedCorsOrigin} token in the Config\Sitecore.IdentityServer.Host.xml:

    RequestResponse
    <?xml version="1.0" encoding="utf-8"?>
    <Settings>
      <Sitecore>
        <IdentityServer>
          <Clients>
            <DefaultClient>
              ...
              <AllowedCorsOrigins>
                <AllowedCorsOriginsGroup1>https://host1|http://host1</AllowedCorsOriginsGroup1>
                <AllowedCorsOriginsGroup2>https://host2</AllowedCorsOriginsGroup2>
                <AllowedCorsOriginsGroup3>https://host3</AllowedCorsOriginsGroup3>
              </AllowedCorsOrigins>
              ...

    Sitecore expands the RedirectUri* and the PostLogoutRedirectUri* node values with {AllowedCorsOrigin} tokens to be allowed for every origin specified in the AllowedCorsOrigins list.

This configuration:

  • Ensures that cookies are secure across your site.

  • Ensures that a client-side script cannot read the cookies.

  • Prevents any additional configuration from overriding these settings.

For more information about configuring HTTPS bindings to an IIS website, visit:

Do you have some feedback for us?

If you have suggestions for improving this article,