Use HTTPS on all your Sitecore instances

Last updated Monday, May 1, 2017 in Sitecore Experience Platform for Administrator

Using HTTP does not protect data from interception or alteration; therefore, it is best practice to use HTTPS for both your content management and content delivery environments. Sitecore does not include configured HTTPS bindings out of the box.

To enable HTTPS on your Sitecore environments:

  1. Ensure you have X.509 certificates from a Certificate Authority.
  2. Create the associated bindings on your Sitecore IIS instances.
  3. To ensure that all traffic is served over SSL/TLS, open the Sitecore web.config file and edit the <system.web> section to include these attributes:
    <system.web>
        <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

This configuration:

  • Ensures that cookies are secure across your site.
  • Ensures that a client-side script cannot read the cookies.
  • Prevents any additional configuration from overriding these settings.

For more information about configuring HTTPS bindings to an IIS website, visit:

Send feedback about the documentation to docsite@sitecore.net.