When you need to enforce HTTPS for only a specific section of your site — such as an admin area or a checkout flow — rather than the entire site, this IIS URL Rewrite rule is the way to go.
Add the following to the system.webServer > rewrite > rules section of web.config:
<rule name="Redirect /some-directory-to-protect to SSL" patternSyntax="ECMAScript" stopProcessing="true">
<match url="some-directory-to-protect.*" />
<conditions>
<add input="{HTTPS}" pattern="Off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
</rule>Replace some-directory-to-protect with the actual directory path you want to secure (e.g., admin, checkout, members).
How it works:
<match url="some-directory-to-protect.*" />— matches the directory and any subpath{HTTPS}condition checks whether the request is over plain HTTP{HTTP_HOST}/{R:0}reconstructs the full URL with the original host and path, upgraded to HTTPSstopProcessing="true"prevents other rewrite rules from running after this one matches
This pattern is used in the Secure Umbraco Back-office logins post for specifically securing the /umbraco path.