From Microsoft.AspNetCore.HttpsPolicy.dll
Redirect all HTTP traffic to an HTTPS port.
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
...
myIServiceCollection.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect; //see also Status301MovedPermanently and Status308PermanentRedirect
options.HttpsPort = 8443;
});
An HTTP request can bypass this redirect with header "X-Forwarded-Proto:https".
This pretends that the request is already being made to an HTTPS address.
aka HSTS
The HTTP Strict-Transport-Security response header lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
using Microsoft.AspNetCore.Builder;
...
myIServiceCollection.AddHsts(options =>
{
options.MaxAge = new TimeSpan(365, 0, 0, 0); //1 year
});