Enforce HTTPS correctly in ASP.NET Core APIs