Force TLS in .NET

Versions before ASP.NET 4.7 default to making outbound connections using TLS 1.0. This is a real problem for security for many reasons. It’s now been deprecated with many CVEs. Some of these vulnerabilities make TLS 1.0 vulnerable to man-in-the-middle attacks. A lot of APIs will not accept incoming requests from TLS 1.0 because of this.

TLS 1.0 Vulnerabilities



It’s easy to fix this by simply adding the code below in the global.asax file.

In this sample, we are using a standard ASP.NET MVC 4.5.2 project.