Enable SSL/HTTPS for a CMS 9.0 or CMS 10.0 Site

Product: CMS

Version: All, CMS 10, 10.x, CMS 9, 9.x

Published: June 23, 2016

Last updated: 1/30/2021

Comments:
0 Comments

Description

This article outlines how to configure your CMS 9.0 or CMS 10.0 site for HTTPS/SSL.

Requirements

  • A CMS 9.0 or CMS 10.0 site.
  • Administrative rights on the Content Management Server.
  • A valid SSL certificate.

Step-by-Step

By default, a CMS site is set up to use HTTP. Enabling HTTPS involves the following changes:

  • Setting HTTPS bindings for the CMS site within IIS.
  • Changing the content store location in web.config so that it reflects HTTPS.
  • Enabling URL rewrite to redirect from HTTP to HTTPS.

Configuring HTTPS bindings is a common server administration procedure and is covered in depth on IIS's website. For more information, read this article on setting up SSL in IIS 7 and above

After IIS has been configured, follow the steps below to enable SSL/HTTPS on your CMS site:

  1. In a file browser, navigate to your site's root folder. Open web.config in a text editor. 
  2. Locate the CMSContentStoreSettings node. Change the contentStoreLocation attribute from HTTP to HTTPS and secureTransport to true as shown in the following screenshot.

    CMS Content Store Settings

  3. Save web.config.
  4. Navigate to your DSS_Preview folder ({Site Root}\DSS_Preview).
  5. Locate the connectionStrings node inside of the web.config.  Change the connectionString information from HTTP to HTTPS as shown in the following screeenshot:

    DSS Preview Change

  6. Save the web.config.

It's recommended to configure URL Rewrite in IIS to automatically redirect HTTP traffic to HTTPS.  

  1. Download and install Microsoft Web Platform Installer.
  2. On IIS.net, download and install the URL Rewrite extension
  3. Open your site's web.config and locate the system.webServer node. This is where to insert the code that will redirect HTTP to HTTPS. Download this example XML and add it to web.config.
    Important:
    By default, the igxlocale cookie is set to HTTP and can be changed only with its ASP.NET setting httpOnlyCookies. By default, httpOnlyCookies is set to false. For CMS site configurations that use the HTTPS-redirect, there is a risk potential of "man-in-the-middle" attacks, whereby an attacker intercepts the first request in HTTP before the redirect to HTTPS occurs. When enabling HTTPS for your CMS, you can mitigate this risk by setting the httpOnlyCookies option to true in web.config.
  4. Save web.config.

With the URL Rewrite extension installed, it's also possible to configure rewrite rules directly in IIS. For more information, refer to this knowledge base article.

Additional Information

Before upgrading an SSL/HTTP-enabled CMS site, you should consider the following:

  • On CMS 9.0 and CMS 10.0 upgrades, URL rewrite rules—and all other custom configurations—are removed from web.config. It's a good idea to keep a backup of a site's web.config to prevent having to reconfigure the site after every upgrade.  
  • When HTTPS is enabled, errors can occur when running the upgrade wizard. Before running the upgrade wizard, besure to change the contentStoreLocation path back to HTTP. 

Comments

There are no comments yet.