I have an ASP.NET Webforms application and it is using NWebsec. It works as intended, but I am trying to force HTTPS from the start not after initial request with HSTS. When I add the URL Rewrite it gets in a redirect loop. Removing NWebsec and the URL Rewrite works fine. NWebsec works in either case but without the rewrite if they load HTTP it will not force HTTPS. The upgrade-insecure-requests
does not work on it's own.
URL Rewrite Rule
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
NWebsec Config
<nwebsec>
<httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
<redirectValidation enabled="true" />
<setNoCacheHttpHeaders enabled="true" />
<x-Robots-Tag enabled="false" noIndex="false" noFollow="false" noArchive="false" noOdp="false" noSnippet="false" noImageIndex="false" noTranslate="false" />
<securityHttpHeaders>
<x-Frame-Options policy="Deny" />
<strict-Transport-Security max-age="60" includeSubdomains="true" httpsOnly="true" preload="false" />
<x-Content-Type-Options enabled="true" />
<x-Download-Options enabled="false" />
<x-XSS-Protection policy="Disabled" blockMode="true" />
<content-Security-Policy enabled="true">
<upgrade-insecure-requests enabled="true" />
</content-Security-Policy>
</securityHttpHeaders>
</httpHeaderSecurityModule>
</nwebsec>
Found the issue, PEBKAC. Should have read the documentation better.
<redirectValidation enabled="true">
<allowSameHostRedirectsToHttps enabled="true" />
</redirectValidation>