4

If a website is running on HTTPS only, is it reasonable to close port 80 of the web server and only leave port 443 open? Does this action provide more security for the website?

Adi
  • 43,808
  • 16
  • 135
  • 167
A.B.
  • 147
  • 2
  • 3
  • 8

1 Answers1

7

Almost all sites leave port 80 open and have it issue a redirect to https://...

The reason for this is that is your site is https://mysite.com/ then most users will access the site by typing mysite.com and their browser will initially try http://mysite.com/ If you've closed port 80 then their request will fail.

The security merits of this have been discussed in this question. It is more secure to disable HTTP, but for most sites the reduction is usability is not worth it. HTTP Strict Transport Security is an option to consider.

Community
  • 1
paj28
  • 32,736
  • 8
  • 92
  • 130
  • 3
    Interesting. Wouldn't it make sense if browsers were redesigned to try `https` if `http` fails? – Cruncher Feb 19 '14 at 20:02
  • @Cruncher in that case it would, following the general principle of "turn off everything you don't need". But I can't see browsers making that change any time soon. – paj28 Feb 19 '14 at 20:24
  • 1
    Update, nearly 5 years on... I can now see browsers doing this some time soon. – paj28 Oct 11 '18 at 12:16