Force a user to HTTPS

Question

So I recently got my webserver to support HTTPS using the EFF's certbot

Currently, if you navigate to DotNetRussell.com or www.DotNetRussell.com, the browser will use HTTP by default.

How do you force a user to use HTTPS?

My server is a Raspberry Pi running the latest distro, and a LAMP stack that has been recently updated. The LAMP stack is running an updated wordpress site.

Most websites redirect an HTTP connection to an HTTPS connection with a 301 Moved Permanently HTTP response. Your browser will do the redirect for you and remember to always do the redirect. — sethmlarson, Sep 22 '16 at 13:40
Possible duplicate of [Should we force user to HTTPS on website?](http://security.stackexchange.com/questions/23646/should-we-force-user-to-https-on-website) — sethmlarson, Sep 22 '16 at 13:41
@SethMichaelLarson okay so I need to include a redirect in my index.php? — DotNetRussell, Sep 22 '16 at 13:41
Preferably you'd handle this redirect with your web server, which if you're using LAMP you would use Apache's redirect rules. — sethmlarson, Sep 22 '16 at 13:42
@SethMichaelLarson sounds like I have some more reading to do. Thank you. If you make this an answer I'll mark it — DotNetRussell, Sep 22 '16 at 13:43

score 8 · Answer 1 · edited Jun 16 '20 at 09:49

You should configure your web server, so that any HTTP requests result in an HTTP 301 redirect to the HTTPS equivalent URL.

However, this is still subject to MITM. For example, if an SSL Strip server can intercept the HTTP requests, then it could speak to your server in HTTPS, but the user is using insecure HTTP on their end

To prevent SSL Strip or similar MITM attacks, you should implement HSTS. This way, if the user connects one time to your site correctly (either with an untampered connection, or to an HTTPS url for your site), then the browser will automatically remember that all HTTP urls should be converted to HTTPS before attempting to connect to your site.

Note: Once this happens, the only way to get the browser to stop using HTTPS will be to clear browser cache, so do not implement HSTS if you expect to discontinue HTTPS for this site.

I do not know how to specifically acheive these on your particular webserver. I'm sure the Stack Overflow or Server Fault folks could help you.

Once HSTS is implemented, ideally you should get your HSTS domain pre-loaded in major browsers. This way, even if a user has never visited your site before, they will benefit from HSTS, even if their first visit is on an SSLStrip or other bad-guy network.

score 2 · Accepted Answer · edited May 23 '17 at 12:40

2

Most websites force HTTPS by redirecting all HTTP connections to their corresponding HTTPS equivalent using an HTTP 301 "Moved Permanently" response. This both redirects the current connection to HTTPS and all future connections as your browser will remember the 301 response and act accordingly. If you're using a LAMP stack you can do this redirect using Apache's redirect rules.

If you're looking for how to do this redirect, check out this answer on StackOverflow.

edited May 23 '17 at 12:40

Community

1

answered Sep 22 '16 at 13:46

sethmlarson

1,479
10
17

5

Don't forget [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) – John Wu Sep 22 '16 at 18:43
@AnthonyRussell If you have time you should accept the bottom answer, it is clearly superior. – sethmlarson Sep 23 '16 at 17:12

Force a user to HTTPS

2 Answers2

Linked