I found two different rewrite rules to force HTTPS for IIS hosted websites. I have a site that will be hosted on an Azure App Service that will use this rule.
Option 1:
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
Option 2:
<rewrite>
<rules>
<rule name="Redirect to https">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
<add input="{REQUEST_METHOD}" pattern="^get$|^head$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
Questions:
- What is the reason for ignoreCase set to false in Option 1?
- Does the REQUEST_METHOD input limit the security to just GET and HEAD in Option 2?
- Does the appendQueryString="true" keep the query string on redirect?
- Is there any other options to consider that isn't part of either?
I recommend read the official documentation:
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
You can find it the all attributes explication.
ignoreCase – Use this attribute to control whether pattern matching for the condition should be case sensitive or case insensitive.
appendQueryString – Specifies whether the query string from the current URL should be preserved during substitution. By default, if the AppendQueryString flag is not specified, it is assumed to be TRUE. This means that the query string from the original URL is appended to the substituted URL.