Tutorials ASP.NET Core Complete Tutorial (ShopNest)

HTTPS, SSL Certificates and Security Best Practices

Learn HTTPS, SSL Certificates and Security Best Practices in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

On this page
HTTPS, SSL Certificates and Security Best Practices — ShopNest
Article 35 of 75 · Module 4: Authentication & Security · ShopNest Production Deployment Security
Target keyword: https ssl asp.net core · Read time: ~28 min · .NET: 8 / 9 · Project: ShopNest Production Deployment Security

Introduction

Production ShopNest must enforce HTTPS, configure SSL certificates, set CORS for APIs, and apply rate limiting — this lesson covers dev certificates through Azure/IIS deployment.

After this article you will

  • Trust dev HTTPS certificate and enforce redirect
  • Configure HSTS and CSP headers
  • Understand Let's Encrypt vs commercial certs
  • Set CORS policy for ShopNest API
  • Enable .NET 8 rate limiting middleware

Prerequisites

Concept deep-dive

// Program.cs — production security baseline
if (!app.Environment.IsDevelopment())
{
    app.UseHsts();
    app.UseHttpsRedirection();
}

app.Use(async (ctx, next) =>
{
    ctx.Response.Headers["X-Content-Type-Options"] = "nosniff";
    ctx.Response.Headers["X-Frame-Options"] = "DENY";
    await next();
});

// CORS for SPA/mobile API
builder.Services.AddCors(options =>
    options.AddPolicy("ShopNestSpa", p => p
        .WithOrigins("https://app.shopnest.com")
        .AllowAnyHeader()
        .AllowCredentials()));

// Rate limiting (.NET 8)
builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("api", opt =>
    {
        opt.Window = TimeSpan.FromMinutes(1);
        opt.PermitLimit = 100;
    });
});
app.UseRateLimiter();

Certificates: Dev — dotnet dev-certs https --trust. Azure App Service — managed cert free. IIS — bind cert in IIS manager. nginx — reverse proxy with certbot/Let's Encrypt.

Hands-on — ShopNest Production Deployment Security

  1. Enable HTTPS redirect in ShopNest.Web.
  2. CORS policy for local React dev + production SPA origin.
  3. Rate limit /api/auth/login to 10 req/min.
  4. Document Azure App Service HTTPS binding steps.

Common errors & best practices

  • CORS AllowAnyOrigin with AllowCredentials — invalid and insecure.
  • HSTS in Development — breaks local HTTP testing if misconfigured.
  • Expired cert in production — monitor expiry alerts.

Interview questions

Q: HSTS purpose?
A: Tells browser to only use HTTPS for domain — prevents SSL strip attacks.

Q: CORS when needed?
A: Browser blocks cross-origin API calls unless server sends Access-Control-Allow-Origin.

Q: Rate limiting why?
A: Protects login and public API from abuse and DDoS-lite scraping.

Summary

  • HTTPS everywhere — redirect + HSTS in production
  • CORS explicitly whitelists SPA origins
  • Rate limiting protects auth and public endpoints
  • Certificate management differs by host (Azure/IIS/nginx)

Previous: Data Protection and Encryption
Next: Building REST APIs with ASP.NET Core

FAQ

Let's Encrypt on IIS?

Use win-acme or certbot with DNS validation for automated renewal.

IP whitelisting?

Middleware checks RemoteIpAddress against allow list for admin APIs.

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

ASP.NET Core Complete Tutorial (ShopNest)
Course syllabus
Module 1: Foundations
Module 2: Entity Framework Core
Module 3: Dependency Injection & Middleware
Module 4: Authentication & Security
Module 5: Web API
Module 6: Advanced Architecture
Module 7: Testing
Module 8: Deployment & DevOps
Module 9: Real-World Projects
Module 10: Advanced Topics
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details