Secure Umbraco Back-office logins
It is often a requirement to connect to CMS back-office or admin areas using the HTTPS protocol. The HTTPS protocol uses SSL to encrypt the connection using a SSL certificate that can be purchased from one of the many companies that act as certificate authorities.
Once a certificate is installed on the server and bound to the site that we wish to secure, we need to force all back-office logins to use SSL. This can be done in the following manner:
- Update
web.config'sappSettingssection so the following key is added:
<add key="umbracoUseSSL" value="true" />
This causes Umbraco to disable back-office logins unless using HTTPS, but it won't redirect the visitor to use the HTTPS protocol
- To redirect visitor to a HTTPS login add the following entry to
web.config'ssystem.webServer > rewrite > rulessection:
<rule name="Redirect /umbraco to SSL" patternSyntax="ECMAScript" stopProcessing="true">
<match url="umbraco.*" />
<conditions>
<add input="{HTTPS}" pattern="Off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
</rule>
More Information
Other Umbraco app settings are available, see the Umbraco documentation.