Using HTTPS/ is only a first line of defense (it does not provide end to end encryption – only front server to front server encryption) but it is a good start.
Therefore it's useful to have a way to ensure that all communications with the server are over HTTPS.
using System;
using System.Linq;
using System.Net.Http;
using System.Web.Http.Filters;
using System.Web.Http.Controllers;
namespace WebAPI
{
public class CustomHttpsAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
if (!String.Equals(actionContext.Request.RequestUri.Scheme, "https", StringComparison.OrdinalIgnoreCase))
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest)
{
Content = new StringContent("HTTPS Required")
};
return;
}
}
}
}