-1

I have an HTTPS server in Go, so that users can enter https://example.com in their browser. I'd like them to also be able to type in "example.com" to reach my HTTPS server. From this answer I see that the standard solution is to run an HTTP server that redirects to https://example.com.

I'm wondering if this is as secure as if everything were in HTTPS. In particular, if a user sends a POST request to "example.com", will the content be encrypted while it passes through the network?

rampatowl
  • 1,722
  • 1
  • 17
  • 38

1 Answers1

4

A POST request to an HTTP server is not secure. This includes the case where the server responds to the POST with a redirect to an HTTPS server.

Browsers automatically follow redirects. The request to the HTTPS server is secure.

Charlie Tumahai
  • 113,709
  • 12
  • 249
  • 242
  • Then how come if I type in "example.com" for well known sites, Chrome displays the green "Secure" logo because of the HTTPS redirect? What exactly is secured if the only request I made was over an insecure HTTP connection? – rampatowl Apr 22 '18 at 06:45
  • 1
    @rampatowl, see also [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security), the Preload section in particular. This can prevent the redirect from happening in the first place. – Peter Apr 22 '18 at 12:17