Skip to content
This repository was archived by the owner on Feb 26, 2026. It is now read-only.

Enforce HTTPS redirection and HSTS#21

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/enforce-https-redirection
Draft

Enforce HTTPS redirection and HSTS#21
Copilot wants to merge 3 commits intomainfrom
copilot/enforce-https-redirection

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 26, 2026
edited
Loading

Application was serving HTTP requests without redirection, exposing data in transit to MITM attacks.

Changes

  • Middleware configuration (Program.cs)

    • Added UseHttpsRedirection() before endpoint registration
    • Added UseHsts() for non-Development environments

  • Integration tests (HttpsRedirectionTests.cs)

    • Verify middleware configuration across Development, Staging, and Production environments

Implementation

// Configure HSTS for production (adds Strict-Transport-Security header)
if (!app.Environment.IsDevelopment())
{
    app.UseHsts();
}

// Redirect HTTP requests to HTTPS
app.UseHttpsRedirection();

app.RegisterGodEndpoints();
app.RegisterMythologiesEndpoints();

The existing HTTPS profile in launchSettings.json already supports local development with certificates.

Original prompt

This section details on the original issue you should resolve

<issue_title>[MEDIUM] HTTPS redirection is not enforced</issue_title>
<issue_description>## Summary

The application does not call app.UseHttpsRedirection(), meaning HTTP requests are served without being redirected to HTTPS. This violates the security requirement to "Use HTTPS for all network communications."

Description

In src/Program.cs, the middleware pipeline does not include app.UseHttpsRedirection(). Without this middleware:

  • Clients can connect over plain HTTP, exposing data in transit.
  • API keys, tokens, and sensitive payloads can be intercepted via man-in-the-middle (MITM) attacks.
  • Cookies (if any) transmitted without encryption are vulnerable to session hijacking.

While HTTPS may be enforced at the infrastructure level (e.g., reverse proxy, load balancer), defense-in-depth requires the application itself to enforce HTTPS redirection.

Implementation

  1. Add app.UseHttpsRedirection() to the middleware pipeline in src/Program.cs, before endpoint mapping: 
    app.UseHttpsRedirection();
app.RegisterGodEndpoints();
app.RegisterMythologiesEndpoints();
  2. Ensure launchSettings.json includes an HTTPS profile for local development.
  3. In production (Docker/Kubernetes), ensure the HTTPS certificate is properly configured.
  4. Optionally add HSTS headers for browsers: 
    if (!app.Environment.IsDevelopment())
{
    app.UseHsts();
}
  5. Add an integration test verifying HTTP requests are redirected to HTTPS.

References

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 26, 2026 13:32
@aatmmr
Add HTTPS redirection and HSTS middleware with tests
ca3f05c 
Co-authored-by: aatmmr <15815012+aatmmr@users.noreply.github.com>
@aatmmr
Improve test resource disposal with using statements
a0c61b0 
Co-authored-by: aatmmr <15815012+aatmmr@users.noreply.github.com>
Copilot AI changed the title [WIP] Add HTTPS redirection to application Enforce HTTPS redirection and HSTS Feb 26, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@aatmmr aatmmr

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[MEDIUM] HTTPS redirection is not enforced

2 participants

@aatmmr