4

In doing some research regarding SSL, I came across this topic. One of the common suggestions was not to serve content over HTTP. What does that mean from a website development POV? Referencing things like stylesheets with a full https URL? Something else?

Community
  • 1
Major Productions
  • 215
  • 1
  • 5

2 Answers2

9

It means to always use the SSL layer when serving pages. Links don't need to be absolute, but traffic received on port 80 without SSL should be redirected to port 443 with SSL. The rest of the magic is in avoiding attacks where the user doesn't visit the SSL site first and the redirect is hijacked using something like SSLstrip. That is covered in this question: Options when defending against SSLstrip?

Community
  • 1
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Hmmm... I think my options may be a bit limited from a development POV. Client wants a small e-commerce site, but can only afford a shared hosting solution at the moment. I can't go under the hood and disable pure HTTP access. Thankfully, further research shows I can enable HSTS programatically, so that's a plus. – Major Productions Nov 08 '12 at 02:40
  • 1
    HSTS requires HTTPS and doesn't work on IE, only Firefox and Chrome. Also, even on shared hosting, SSL (HTTPS) is usually an option, just look around for different offers. – Matrix Nov 08 '12 at 08:32
  • 2
    @KevinM1 They can't afford a VPS for 15 dollars a month? – Polynomial Nov 08 '12 at 08:59
  • You can put in a 301 permanent redirect to the HTTPS site thereby disabling all HTTP access with a forced redirect? And in addition to what Matrix says, technically opera also supports HSTS and there is no harm in enabling it as long as everything on the domain is available over HTTPS and you are aware of the limitations. – ewanm89 Nov 08 '12 at 10:19
  • @Polynomial The client got scammed by her last developer/webmaster, so she's still trying to recover. I've been able to gain a portion of her trust by being straight with her (like I am with all my clients), but she's still very hesitant when it comes to expenses I suggest. I'm trying to meet her halfway. – Major Productions Nov 08 '12 at 12:29
5

It means that all content and resources should be served over HTTPS (not HTTP). Local scripts, stylesheets, and images should be referenced with a URL that will ultimately load the resource over HTTPS, not HTTP.

One way to achieve this is to make sure that all URLs are absolute and fully qualified, and start with https:.

Alternatively, you can continue to use relative URLs, as long as you verify they will ultimately resolve to a https: URL.

For example, suppose you have a page https://example.com/foo.html. Here are some examples of snippets that are OK / not OK to include in that page:

  • OK: <IMG SRC="https://example.com/pic.png">

  • OK: <IMG SRC="/pic.png">

  • OK: <IMG SRC="https://elsewhere.com/pic.png">

  • OK: <IMG SRC="//elsewhere.com/cats.png"> (this is a relative URL, which uses the same protocol as the containing page, but a different host)

  • Bad: <IMG SRC="http://example.com/pic.png">

  • OK: <IFRAME SRC="https://example.com/bar.html">

  • OK: <IFRAME SRC="https://elsewhere.com/blah.html">

  • OK: <SCRIPT SRC="https://example.com/jquery.js">

  • OK: <LINK HREF="https://example.com/mystyle.css">

  • Bad: <SCRIPT SRC="http://somewhere.com/jquery.js">

  • Bad: <SCRIPT SRC="https://somewhere.com/jquery.js"> (unless you also control somewhere.com)

  • Bad: <LINK HREF="http://somewhere.com/mystyle.css">

  • Bad: <IFRAME SRC="http://somewhere.com/blah.html">

I hope this makes sense.

D.W.
  • 98,420
  • 30
  • 267
  • 572