Startup.cs security measures

Question

I would like to know whether I am
(a) engaging in good coding practices,
(b) repeating myself harmlessly, or
(c) adding inefficient redundancies

For example:
1) In Configure() I can add RewriteOptions().AddRedirectToHttps();
2) In ConfigureServices() I can add services.Configure<MvcOptions>(options => { options.Filters.Add(new RequireHttpsAttribute()); });

Another example:
1) In Configure() I can add app.UseAuthentication();
2) In ConfigureServices() I can add .RequireAuthenticatedUser() to my AddMvc() call.

It seems in both examples that I can get away with just one call. Am I free and clear to keep only one call? And if so, which one is the better to keep?

I've searched around a fair bit and I can see all of these approaches in use, but I haven't found a resource that compares the relative merits of these calls, let alone indicates whether it's good or bad practice to use them together.

Answer 1

To take your first example:

1) In Configure() I can add RewriteOptions().AddRedirectToHttps() ;

2) In ConfigureServices() I can add services.Configure<MvcOptions>(options => { options.Filters.Add(new RequireHttpsAttribute()); });

Both of these achieve essentially the same thing - they will redirect HTTP requests to HTTPS. The difference is which requests they are applied to.

If you use the rewriter middleware, all requests that make it to the middleware will be redirected to HTTPS.

public void Configure(IApplicationBuilder app)
{
    app.UseStaticFiles(); // Requests handled by this middleware won't be redirected to HTTPS

    var options = new RewriteOptions()
       .AddRedirectToHttps();

    app.UseRewriter(options); // All requests that make it this far will be redirected from HTTP to HTTPS

    app.UseMvc(); // Requests guaranteed to be HTTPS
}

In the second case, where you use a global filter to apply the RequireHttpsAttribute , only requests that make it to the MvcMiddleware will be redirected to HTTPS.

In terms of best practices, I recommend using the rewriter middleware - you can add it to the start of your middleware pipeline, and then all of your requests are required to HTTPS, instead of just the requests that make it to the MVC middleware.

---

In your second example, the two methods actually do different things:

• app.UseAuthentication() - authenticates the request, and sets the User associated with the request by eg deserializing the user principal stored in the cookie
• RequireAuthenticatedUser() - Requires that a User has logged in before action methods on your controllers are called. If the user hasn't logged in, they are redirected to the login page. In this case, you must call app.UseAuthentication() before app.UseMvc() , otherwise the User for the request will not be set even if you've logged in, and you will be redirected to the login page.