Vulnerability in EPiServer.Forms
Also now that the UI files are moved to the program files folder and is accessed through a virtual path, how can we require that these are accessed over HTTPS? This used to be straight forward configuration of IIS in previous versions.
Regards to the UI, just set uiUrl in web.config to a https path.
You would probably need to write a custom user control to switch between http and https based upon page ids or page template type and then drop that plug in on all templates.
If using page ids, best way would be to put them in web config, get the list of page ids and compare it against the current page and do the switch.
Offcourse, dynamic properties can be used to mark page if secured or not.
Guess you need to write your own FriendlyRewriterProvider where you take into account an dynamic property and make the switch between http and https.
Somethng like this code should do the trick
public class HttpsBasedRewriter : FriendlyUrlRewriteProvider
public override bool ConvertToExternalInternal(UrlBuilder url, object internalObject, Encoding toEncoding)
bool status=base.ConvertToExternalInternal(url, internalObject, toEncoding);
PageReference pageLink = internalObject as PageReference;
if (pageLink != null)
PageData page = EPiServer.DataFactory.Instance.GetPage(pageLink);
if (page["NeedHttps"] != null)
url.Scheme = "https";
protected override bool ConvertToInternalInternal(UrlBuilder url, ref object internalObject)
bool status=base.ConvertToInternalInternal(url, ref internalObject);
if (url.Scheme == "http")