Use HTTPS on all your Sitecore instances

Abstract

How to enable HTTPS on your Sitecore instances.

Using HTTP does not protect data from interception or alteration; therefore, it is best practice to use HTTPS for both your content management and content delivery environments. Sitecore does not include configured HTTPS bindings out of the box.

To enable HTTPS on your Sitecore environments:

  1. Ensure you have X.509 certificates from a Certificate Authority.

  2. Create the associated bindings on your Sitecore IIS instances.

  3. To ensure that all traffic is served over SSL/TLS, open the Sitecore web.config file and edit the <system.web> section to include these attributes: 

    <system.web>
    <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>

This configuration:

  • Ensures that cookies are secure across your site.

  • Ensures that a client-side script cannot read the cookies.

  • Prevents any additional configuration from overriding these settings.

For more information about configuring HTTPS bindings to an IIS website, visit: