Web API w/ SSL allows non-secure GET requests

The scenario: I have a .NET Core 2.0 Web API app configure to use only secure connections. I'm using Postman to test the requests.

If I try to POST, PUT or DELETE using non-secure URL (HTTP), it returns status 403 (as it should be). However, it accepts GET requests via HTTP.

I'm really an amateur regarding SSL usage, so I don't know if it should be the common behavior (although, I my head, it doesn't make any sense).

The SSL configuration in Web API is done as the following:


 "certificateSettings": {
    "fileName": "filename.pfx",
    "password": "password"


public static IWebHost BuildWebHost(string[] args)
        var config = new ConfigurationBuilder()
        .AddJsonFile("certificate.json", optional: true, reloadOnChange: true)
        .AddJsonFile($"certificate.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT")}.json", optional: true, reloadOnChange: true)

        var certificateSettings = config.GetSection("certificateSettings");
        string certificateFileName = certificateSettings.GetValue<string>("filename");
        string certificatePassword = certificateSettings.GetValue<string>("password");

        var certificate = new X509Certificate2(certificateFileName, certificatePassword);

        return WebHost.CreateDefaultBuilder(args)
                options =>
                    options.AddServerHeader = false;
                    options.Listen(IPAddress.Loopback, 44312, listenOptions =>


public void ConfigureServices(IServiceCollection services)
        services.Configure<MvcOptions>(options =>
            options.Filters.Add(new RequireHttpsAttribute());
            options =>
                options.Cookie.Name = "_af";
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                options.HeaderName = "X-XSRF-TOKEN";

The app is hosted in IIS 10. It's an sub-Application, inside a Website, and this Website has the certificate I'm using bound in port 443. There's a copy of this certificate in the root of the application (although I don't know if this is needed).

All HTTPS requests work like a charm.

I believe it's something silly, I just couldn't figure it out. My web searches came to nothing.

Thanks in advance.