3

So I recently got my webserver to support HTTPS using the EFF's certbot

Currently, if you navigate to DotNetRussell.com or www.DotNetRussell.com, the browser will use HTTP by default.

How do you force a user to use HTTPS?

My server is a Raspberry Pi running the latest distro, and a LAMP stack that has been recently updated. The LAMP stack is running an updated wordpress site.

700 Software
  • 13,897
  • 3
  • 53
  • 82
DotNetRussell
  • 1,451
  • 1
  • 19
  • 30
  • Most websites redirect an HTTP connection to an HTTPS connection with a 301 Moved Permanently HTTP response. Your browser will do the redirect for you and remember to always do the redirect. – sethmlarson Sep 22 '16 at 13:40
  • 2
    Possible duplicate of [Should we force user to HTTPS on website?](http://security.stackexchange.com/questions/23646/should-we-force-user-to-https-on-website) – sethmlarson Sep 22 '16 at 13:41
  • @SethMichaelLarson okay so I need to include a redirect in my index.php? – DotNetRussell Sep 22 '16 at 13:41
  • Preferably you'd handle this redirect with your web server, which if you're using LAMP you would use Apache's redirect rules. – sethmlarson Sep 22 '16 at 13:42
  • @SethMichaelLarson sounds like I have some more reading to do. Thank you. If you make this an answer I'll mark it – DotNetRussell Sep 22 '16 at 13:43
  • 1
    I found the tip to use Certbot to be quite helpful. Thanks! – 700 Software Sep 22 '16 at 16:47

2 Answers2

8
  1. You should configure your web server, so that any HTTP requests result in an HTTP 301 redirect to the HTTPS equivalent URL.

However, this is still subject to MITM. For example, if an SSL Strip server can intercept the HTTP requests, then it could speak to your server in HTTPS, but the user is using insecure HTTP on their end

  1. To prevent SSL Strip or similar MITM attacks, you should implement HSTS. This way, if the user connects one time to your site correctly (either with an untampered connection, or to an HTTPS url for your site), then the browser will automatically remember that all HTTP urls should be converted to HTTPS before attempting to connect to your site.

    Note: Once this happens, the only way to get the browser to stop using HTTPS will be to clear browser cache, so do not implement HSTS if you expect to discontinue HTTPS for this site.

I do not know how to specifically acheive these on your particular webserver. I'm sure the Stack Overflow or Server Fault folks could help you.

  1. Once HSTS is implemented, ideally you should get your HSTS domain pre-loaded in major browsers. This way, even if a user has never visited your site before, they will benefit from HSTS, even if their first visit is on an SSLStrip or other bad-guy network.
700 Software
  • 13,897
  • 3
  • 53
  • 82
2

Most websites force HTTPS by redirecting all HTTP connections to their corresponding HTTPS equivalent using an HTTP 301 "Moved Permanently" response. This both redirects the current connection to HTTPS and all future connections as your browser will remember the 301 response and act accordingly. If you're using a LAMP stack you can do this redirect using Apache's redirect rules.

If you're looking for how to do this redirect, check out this answer on StackOverflow.

sethmlarson
  • 1,489
  • 11
  • 17