Administration: Configure SSL
Secure Sockets Layer (SSL) is a protocol that provides communication security over the network. SSL is useful when you have sensitive information, such as login credentials or credit card information, transferred over the network.
Install the SSL certificate on your site
If your site requires the use of SSL certificate, you must perform the following:
- Obtain an SSL certificate from an issuing authority.
- Install the SSL certificate on your IIS.
For more information, see How to set up SSL on IIS and How to implement SSL in IIS.
- Configure the http and https bindings for your site.
In the IIS Manager, select your site and in the right pane, click Bindings…
PREREQUISITES: Sitefinity CMS requires that you setup the http binding on port 80 and the https binding on port 443.
After you have setup and tested the certificate, you can configure any page – backend or frontend, to require the SSL certificate. We recommend that you require SSL on all frontend and backend login pages, where login credentials are transferred over the network.
Enforce SSL for the entire website
Serving the entire website content under the https://
protocol is the most common scenario when configuring SSL for Sitefinity CMS. It is not only the industry-recommended way to go in order to serve content more securely over the Internet, but can also be a required step if your website needs to pass HIPPA, PCI and other compliance checks. Sitefinity CMS enables you to enforce the entire website traffic to be under https:// from a central place - the RequireHttpsForAllRequests setting. To enable RequireHttpsForAllRequests follow these steps:
- Click Administration » Settings » Advanced.
- In the treeview, click Security.
- Select the RequireHttpsForAllRequests checkbox in the right-hand side of the configuration screen.
- Click Save changes.
As a result the entire website (both frontend and backend) is served under https://
. Even if somebody request a resource under http://
explicitly, it will be redirected internally and served under https://
.
IMPORTANT: Enforcing SSL for the entire website via the RequireHttpsForAllRequests setting guarantees that any resource form the site is served under https://
. Once this setting is enabled, you don't need to configure anything in addition, as the RequireHttpsForAllRequests is the central mechanism for enforcing SSL and overrides all other settings. If, however you want to serve only specific areas of your website under https://
while the rest remains under http://
,you need to disable RequireHttpsForAllRequests and follow the instructions in the following paragraphs that describe enforcing partial SSL scenarios.
Configure the backend login page to require SSL
If your requirement is to have just the backend login page served under https://,
while the rest of the site remains under http://, Sitefinity CMS enables you to specify that level of granularity. For this scenario, you must enable SSL only for the Authentication module via the Require Https setting.To achieve this, perform the following steps:
- Navigate to Administration -> Settings -> Advanced -> Authentication
- Click on the Require Https checkbox.
- Save the changes and restart the application
NOTE: The Require Https property enforces only the backend login page to be served under https://
.
Configure only selected pages to require SSL
Some scenarios may require you to configure only selected pages to be served under the https://
protocol, while the rest to continue to be served under the http://
protocol.
Every page created in Sitefinity CMS can be configured to be served explicitly under https://
protocol. This behavior is controlled by the Require SSL property available in the page Advanced options. It is disabled by default. To enable it, perform the following steps:
- For all the pages that you want to require SSL, perform the following:
- On Pages page, click the Actions link of the page that you want to require SSL.
- In the dropdown menu, click Titles & Properties.
- Expand Advanced options and select checkbox Require SSL.
- Click Save changes.
In the scenario where you configure only certain frontend pages to Require SSL ,and you have some frontend pages that will be served under http://
protocol only, you need to configure Sitefinity CMS to allow for the transition between the two protocols. To enable frontend pages, that have not been explicitly configured to Require SSL, to be served under http:// only, perform the followign steps:
- Click Administration » Settings » Advanced.
- In the treeview, click System » Site URL Settings.
- Select Remove ssl when the page does not require it checkbox.
- Click Save changes.
Configure all frontend pages to require SSL
In case you want to enable SSL for the wbesite frontend only, and keep the rest of the site served under http://
, you must set the Require SSL property to true for all frontend pages. To automate the task you can execute the following code:
Additionally you must disable the Remove ssl when the page does not require it setting, to ensure that Sitefinity CMS will not allow serving pages under http://
, when they have not been explicitly configured to Require SSL. This way you can enforce https://
protocol for the whole site frontend. For example, if Remove ssl when the page does not require it setting is disabled, even if someone adds a new page and forgets to enable RequireSSL, as long as users are navigating to that new page from an https://
page, the new page will get served under https://
. To configure this behavior, perform the following:
- Click Administration » Settings » Advanced.
- In the treeview, click System » Site URL Settings.
- Deselect Remove ssl when the page does not require it checkbox.
- Click Save changes.
Configure backend pages to require SSL
To configure only the Sitefinity CMS administrative UI (backend) pages to require SSL, perform the following:
- Open the IIS Manager and select your site.
- In the central pane, click SSL Settings.
- Deselect Require SSL checkbox and select Ignore radio button.
- In the right pane, click Apply.
- Open the web.config file.
- Configure the wsFederation node in the following way:
- Open the SecurityConfig.config file.
- Under <securityTokenIssuers>, insert additional https binding in the following way:
NOTE: The key above is an example. You must add the same key that is used in the other security token issuers.
IMPORTANT: Do not remove the existing issuer binding to http://localhost
- Click Administration » Settings » Advanced » ContentView » Controls » BackendPages » Views » BackendPagesEdit » Sections » SEOSection » Fields » SEOTitle » Validation.
- Delete the regular expression: ^[\p{L}\-\!\(\)\=\@\d_\'\.\&\|\/\+\#\>\<]+$ and save your changes.
- Click Administration » Backend Pages » OK, Continue.
- Click the Actions link of the page that you want to secure.
- In the dropdown menu, click Titles & Properties.
- Expand Advanced options and select checkbox Require SSL.
- Click Save changes.
- Paste again the regular expression from Step 10 and save your changes.
NOTE: You might need to change the Relying Parties configuration, especially when you have Load Balancing configured, so that users avoid getting a Redirect Loop when they try to login to the backend. For more information, see Configure Security.
NOTE: To secure the backend login page you must follow the instruction for configuring the backend login page to require SSL, provided earlier in this artcile.