Tutorials ASP.NET Core Complete Tutorial (ShopNest)
HTTPS, SSL Certificates and Security Best Practices
Learn HTTPS, SSL Certificates and Security Best Practices in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.
On this page
Introduction
Production ShopNest must enforce HTTPS, configure SSL certificates, set CORS for APIs, and apply rate limiting — this lesson covers dev certificates through Azure/IIS deployment.
After this article you will
- Trust dev HTTPS certificate and enforce redirect
- Configure HSTS and CSP headers
- Understand Let's Encrypt vs commercial certs
- Set CORS policy for ShopNest API
- Enable .NET 8 rate limiting middleware
Prerequisites
- Article 34 — Data Protection and Encryption
- ShopNest.Web with EF Core and configuration from Module 3
Concept deep-dive
// Program.cs — production security baseline
if (!app.Environment.IsDevelopment())
{
app.UseHsts();
app.UseHttpsRedirection();
}
app.Use(async (ctx, next) =>
{
ctx.Response.Headers["X-Content-Type-Options"] = "nosniff";
ctx.Response.Headers["X-Frame-Options"] = "DENY";
await next();
});
// CORS for SPA/mobile API
builder.Services.AddCors(options =>
options.AddPolicy("ShopNestSpa", p => p
.WithOrigins("https://app.shopnest.com")
.AllowAnyHeader()
.AllowCredentials()));
// Rate limiting (.NET 8)
builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("api", opt =>
{
opt.Window = TimeSpan.FromMinutes(1);
opt.PermitLimit = 100;
});
});
app.UseRateLimiter();
Certificates: Dev — dotnet dev-certs https --trust. Azure App Service — managed cert free. IIS — bind cert in IIS manager. nginx — reverse proxy with certbot/Let's Encrypt.
Hands-on — ShopNest Production Deployment Security
- Enable HTTPS redirect in ShopNest.Web.
- CORS policy for local React dev + production SPA origin.
- Rate limit /api/auth/login to 10 req/min.
- Document Azure App Service HTTPS binding steps.
Common errors & best practices
- CORS AllowAnyOrigin with AllowCredentials — invalid and insecure.
- HSTS in Development — breaks local HTTP testing if misconfigured.
- Expired cert in production — monitor expiry alerts.
Interview questions
Q: HSTS purpose?
A: Tells browser to only use HTTPS for domain — prevents SSL strip attacks.
Q: CORS when needed?
A: Browser blocks cross-origin API calls unless server sends Access-Control-Allow-Origin.
Q: Rate limiting why?
A: Protects login and public API from abuse and DDoS-lite scraping.
Summary
- HTTPS everywhere — redirect + HSTS in production
- CORS explicitly whitelists SPA origins
- Rate limiting protects auth and public endpoints
- Certificate management differs by host (Azure/IIS/nginx)
Previous: Data Protection and Encryption
Next: Building REST APIs with ASP.NET Core
FAQ
Let's Encrypt on IIS?
Use win-acme or certbot with DNS validation for automated renewal.
IP whitelisting?
Middleware checks RemoteIpAddress against allow list for admin APIs.
Sign in to ask a question or upvote helpful answers.
No questions yet — be the first to ask!