We recommend that you set up a secure sockets layer (SSL) for the Web Application and follow the best practices for your web server to make sure that everything is in order and up-to-date. The following instructions guide you through configuring the SSL certificate in IIS and redirecting HTTP traffic to HTTPS.
Note: Make sure that certificates include a Subject Alternative Name (SAN) so that web
browsers mark the site as secure.
Configuring the SSL certificate
- Open the IIS Manager.
- Select the Web Server node in the left sidebar, under
Start Page, and double-click Server
Certificates in the middle pane.
- In the Actions pane, select an action to import an existing .pfx SSL certificate or to create a self-signed certificate. If your certificate is in a format other than .pfx, refer to the documentation or tools provided by your certificate authority to convert certificates to .pfx format.
- Select your website under Sites in the left sidebar (usually Default Web
Site), and then click Bindings... in the Actions
pane on the right.
- In the Site Bindings dialog box, click Add, select
https from the Type dropdown, and then select
the certificate you added in Step 3 from the SSL
certificate list. Click OK.
- The Host name and Require Server Name Indication fields can be left empty if this the first certificate installed on the server.
Redirecting HTTP traffic to HTTPS
It's recommended that you redirect HTTP traffic to HTTPS in order to prevent security breaches and protect sensitive information, e.g., application credentials, from being intercepted.
To redirect HTTP traffic to HTTPS:
- In the IIS Manager, select Default Web Site in the left sidebar.
- Double-click on URL Rewrite.
- Select the HTTP to HTTPS redirect rule folder. Make sure it's positioned at the top of the list.
- In the Actions panel on the right, select Enable rule.
- Restart the web server. This automatically redirects all HTTP queries to HTTPS.
We also recommend adding the Strict-Transport-Security HTTP header configuration for improved security.