Most ASP.NET developers are familiar with the
[RequireHttps] attribute that forces HTTPS connections for a particular route or controller. However, if you’re building an API in ASP.NET Core, the official documentation includes this warning:
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information. RequireHttpsAttribute uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS.
It’s important to use HTTPS for both your browser applications and APIs, but
[RequireHttps] only focuses on the former. How should you enforce HTTPS for APIs?