stackvana
http not redirecting to https
Bug example:
Remote Address:104.131.145.24:80
Request URL:http://hook.io/
Request Method:GET
Status Code:200 OK
Expected: 302 https://hook.io
Ideally, HSTS headers would also be sent
Additionally, there are some other SSL configuration issues as identified at https://www.ssllabs.com/ssltest/analyze.html?d=hook.io
Is it important to always upgrade to HTTPS?
I feel like if the user hasn't logged in or isn't sending any secure data they can just use HTTP?
My primary concern is performance of the front-end servers.
Good question!
Rationale: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ (there's an equivalent Chromium post from even earlier but I can't find it off hand)
Re performance: https://www.maxcdn.com/blog/ssl-performance-myth/ and https://istlsfastyet.com/
@jden - You are totally right about this.
I'm going to switch to HTTPS by default in the next day or so.
Added upstream to resource-http with https://github.com/bigcompany/http/commit/4c6f95ff1929135c35807a3db26dd26df887f6bf
Looks like we've gotten everything on the site going to SSL every time for everything.
Will continue to test and deploy this over the next few days.
Deployed.
@jden - For hsts do you mean something like https://github.com/helmetjs/hsts ?
@Marak yep - the standard, anyway. I'm sure there are a variety of modules that use it. It's a header that's basically like the ssh known-hosts for the browser (sorta) that tells the browser to only allow https connections for all requests to a given hostname, regardless of path or origin
@jden - Do you have any interest adding this feature to our resource-http module?
https://github.com/bigcompany/http
resource-http is a helper module for creating http servers. hook.io ( and a few other projects ) use this. Should be easy to add hsts support.