One random thing that really annoys me is that the site http://shakespeare.mit.edu does not properly forward http requests to https although they have an https version of the site.
Funniest thing I’ve ever seen is the docs for Nginx do the same, no http to https redirection. I mean, you would hope that the maintainers for the biggest web server in the world would be able to manage that but somehow… No they don’t.
HSTS + HTTPS redirect is the answer. It’s industry standard for a reason: it’s just as safe as pure HTTPS since you can’t get anything other than a redirect over HTTP, and HSTS protects your users from future attempted MITM attacks. The MDN page for HSTS explains it all very clearly.
Any other implementation is an immediate audit fail in my experience.
There’s no tangible security benefit to fully disabling port 80, and if anything depending on the service it may just drive users away to shadier alternatives.
No, an .htaccess file is specific to Apache HTTP Server… although some other web servers have integrated the format. However, most browsers now automatically redirect when an HTTPS version exists.
One random thing that really annoys me is that the site http://shakespeare.mit.edu does not properly forward http requests to https although they have an https version of the site.
Funniest thing I’ve ever seen is the docs for Nginx do the same, no http to https redirection. I mean, you would hope that the maintainers for the biggest web server in the world would be able to manage that but somehow… No they don’t.
server serves a protocol on a port. I would rather it not include logic like that. turn off the http port of you don’t want to serve http.
HSTS + HTTPS redirect is the answer. It’s industry standard for a reason: it’s just as safe as pure HTTPS since you can’t get anything other than a redirect over HTTP, and HSTS protects your users from future attempted MITM attacks. The MDN page for HSTS explains it all very clearly.
Any other implementation is an immediate audit fail in my experience.
There’s no tangible security benefit to fully disabling port 80, and if anything depending on the service it may just drive users away to shadier alternatives.
that would mean anyone going to http:// will perceive as the server being down so what you are saying will not work in practice
Apache tomcat had a stupid security issue. I recently did a HackTheBox about it. Here’s a write-up of the box https://medium.com/ctf-writeups/hack-the-box-jerry-write-up-6f045601315f
Why man they doth share packets in the clear
If you are using Firefox, enable https everywhere setting and it fixes stuff like that
It will only give an error if there’s no https version that exists
Firefox has a built in setting that does the same. No need for the extension
They said to use the setting, nothing about extensions though.
Don’t you just need to toss an “.htaccess” file in the root?
No, an .htaccess file is specific to Apache HTTP Server… although some other web servers have integrated the format. However, most browsers now automatically redirect when an HTTPS version exists.