Enforcing HTTPS | Experience?

Question

I was asking myself, wether it would be okay to enforce HTTPS over normal HTTP, by 301 redirecting every HTTP request to its HTTPS counterpart.

Are there backwards compatibility issues (IE, I'm looking at you) or any other drawbacks? How do search engines handle this? Do you already have experience with this? What are your opinions?

Google themselves also enforce HTTPS, but not always. If you're sending an IE6/7 User-Agent header, you won't be redirected. Should I allow my users to use HTTP, if they want to?

The Electronic Frontier Foundation understandably advises users to always use HTTPS. Can I make that decision for my users and enforce HTTPS? Is there a reason to not use HTTP at all?

Not my downvote, but I guess you should edit it and then narrow down your question to one or two points. You could also try http://security.stackexchange.com/ and delete this one instead. — SilverlightFox, Feb 28 '14 at 10:24

score 1 · Accepted Answer · answered Jan 30 '14 at 09:32

Enforcing HTTPS is becoming more and more common. We started using HTTPS where I worked previously (site had millions of hits per week) due to the fact that Firefox was assuming HTTPS if no protocol is defined, meaning users could type "websitename.com" and not find our website at all, as we only served over HTTP.

I'm sure there were SEO implications behind redirects, but I seem to recall that 301 was the suggested route. Definitely not 302.

Internet Explorer didn't give us any issues for 8, 9 or 10 - prior versions I couldn't say. Hopefully someone else here will know more regarding IE7. There is a link here which explains a few issues, though: http://msdn.microsoft.com/en-us/library/bb250503(v=vs.85).aspx

Honestly in this day an age, the number of people using browsers which do not handle HTTPS are likely to be few - it's such a standard now. My opinion is that we need to try and progress things rather than build things around that total minority who refuse to get with the times. Technology is about progress, after all.

If you can recall it, did you measure any performance hit after enforcing HTTPS? I guess the de/encryption overhead is minimal and not even measurable. Plus, with SPDY we should get faster than regular HTTP. — buschtoens, Jan 30 '14 at 09:56
Information on speed impact (tl;dr there's none): http://stackoverflow.com/questions/548029/how-much-overhead-does-ssl-impose/548042#548042 — buschtoens, Jan 30 '14 at 09:58
As in the post you've helpfully linked, we saw no negative impact upon performance at all. Here's another helpful post: http://stackoverflow.com/questions/149274/http-vs-https-performance?rq=1 — Chris, Jan 30 '14 at 10:12

Enforcing HTTPS | Experience?

1 Answers1