How can a remote client request a page via

In my ASP.Net application running on IIS, I have configured URL redirects from http to https so that all clients access my pages via https. Web.config looks like this:

<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
      <match url="^(.*)$" />
        <add input="{HTTPS}" pattern="^OFF$" />
        <add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
        <add input="{HTTP_HOST}" matchType="Pattern" pattern="^\d+)?$" negate="true" />
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />

So basically, any remote request not from the server are redirected to the https-equivalent URL.

Now the problem is that some remote clients seem to call pages locally. Example: http//: I know this because I'm getting custom log entries from Default.aspx that look like this:

   Not secure: --> 

Translation: the client "" called**default.aspx** and was manually redirected to https manually.

How did this remote client circumvent my HTTP rule and manage to call Default.aspx unsecured and (as it seems) locally???

Read more here:

Content Attribution

This content was originally published by Cleo at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: