2

I am pretty sure that similar questions have been asked before but I didn't manage to find any (maybe I am using the wrong terms).

I have an unsecure web app (built in Laravel). All communication between the frontend and the backend goes through http. Now, I want to switch to https. As far as I know, there are two ways I can do this.

The first is to configure the server (the one that hosts the app) to accept only https requests. If I do it this way, the communication between the client and the server will be encrypted and I won't have to change anything in my app (is this correct ?).

The second way is to configure my app to accept only https requests. If I do it this way I will have to make some changes to my application code.

Now I want to ask, are both ways equally secure ? Which way is prefered and why ?

Dimitar Spasovski
  • 2,023
  • 9
  • 29
  • 45
  • What do you mean by accepting ssl in your app? There is no such option, ssl must be terminated by your web server (Apache for example). It is a layer below the application. – Gabor Lengyel Oct 17 '16 at 19:28
  • Well I was reading about Https setup in general and I came across this [question](https://laracasts.com/discuss/channels/servers/implementing-https-for-laravel-5) . The accepted answer made me think that there are 2 places where you can implement SSL. – Dimitar Spasovski Oct 17 '16 at 19:42
  • Ah ok, see my answer in a minute. – Gabor Lengyel Oct 17 '16 at 19:48

1 Answers1

1

Several things are mixed up here I'm afraid.

You can only turn on SSL on your web server (Apache, Nginx, etc). You need a server certificate, and you have to configure your web server to be able to receive https (ssl) connections. As for how exactly to do that is beyond the scope of this answer, but there are lots of tutorials you can find. You have to do this first.

When your web server is configured to support SSL, you want your web application to only be accessible over HTTPS and not plain HTTP. The purpose is that on the one hand, users who don't know the difference are still safe, and on the other hand that attackers can't downgrade a users connection to insecure plain HTTP.

Now as for how you want to enforce HTTPS for your application, you really do have two choices. You can have your web server handle plain HTTP requests and redirect them to SSL, this is an easy configuration both in Apache and Nginx. Or you can add redirects to your application to handle the scenario when it's accessed over plain HTTP and redirect your user with something like a Location header to HTTPS.

Security-wise, it doesn't really matter whether it's the webserver or the application that makes the redirect, from the client's perspective it's the same (mostly indistinguishable, actually). Choose the option that you like best. There may be for example maintainability reasons to choose one or the other. (Do you want to maintain redirection in your application code, or have your server operations add the redirect headers, etc.)

Note though, that either way, your application may still be vulnerable to an attack called SSL Stripping, and to prevent that you should always send a HSTS response header.

Community
  • 1
  • 1
Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59