0

For apps that take payments and other sensitive data, best practice is undoubtedly to enable https routes.

But I notice the http version of the urls still work (perfectly well), which, if accidentally used could expose users to unnecessary risk.

Is it possible to outright disable the http versions?

So far I know that an attempt to access http://www.google.com/ results in the browser resolving to https://www.google.com/. I'm not sure how this works and all the steps involved (is it a simple redirect or something much more), and I'm not sure if users could somehow access (and stay on) the http version, thereby exposing themselves to unnecessary risk.

Note: I do not deal with web everyday, so I apologise if this is a stupid question to those who do

stevec
  • 41,291
  • 27
  • 223
  • 311

1 Answers1

1

Depends on the technology stack you are using:

Let's take for an instance that you are using .net and hosting your website on iis. You can use mod_rewrite to redirect all http requests to their https equivalent: https://serverfault.com/questions/893315/best-way-to-redirect-all-http-to-https-in-iis

Same thing if you are hosting on Apache: http to https apache redirection

Basically all web servers support this one way or another.

Edit 1

You can also disable it altogether as seen here: https://askubuntu.com/questions/184791/how-to-disable-non-ssl-connection-on-apache-2-2 but that would limit your users and make them think the service is down. Much better to redirect them to the secure version.

Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61
  • Thanks for the great answer. I also found it's incredibly easy to implement the redirect since it's done at application level. [here](https://stackoverflow.com/a/21533827)'s an example that works in a standard ruby on rails application. I'd guess most frameworks would make it just as easy – stevec Aug 31 '20 at 13:53