All HTTPS, or is it OK to accept HTTP and redirect (secure vs. user friendly)

Tom Harrison Jr asked:

Our site currently redirects requests sent to to — everything beyond this is served over SSL. For now, the redirect is done with an Apache rewrite rule.

Our site is dealing with money, however, so security is pretty important. Does allowing HTTP in this way pose any greater security risk than just not opening or listening on port 80? Ideally, it’s a little more user-friendly to redirect.

(I am aware that SSL is only one of a large set of security considerations, so please make the generous assumption that we have done at least a “very good” job of covering various security bases.)

My answer:

You’re doing the right thing by redirecting http to https (assuming you use 301 redirects).

One additional thing that you should strongly consider doing is enabling Strict Transport Security so that browsers know that this is a web site they should connect to only via https.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.