Permanent HTTPS redirect or HTTP landing?
Question
What is a better set up?
- Permanently redirect all HTTP traffic to HTTPS.
- (+) browsers will remember "the right thing" in bookmarks, history and cache.
- (-) not all wifi payment walls play nicely with HTTPS.
- Have both versions with absolute links to HTTPS.
- (-) browsers will likely remember the wrong thing because people don't type https.
- (-) authenticated areas need to be shielded (for plain auth)
- (+) plays nicely with public wifi payment walls (only when people type http, but this is more likely now because browser remembers user typed http).
I strongly lean to solution 1, but only because it feels right. Is there an overwhelmingly convincing argument for one or the other? How do search engines and mobile devices respond to either set up?
1 answers
solution1
0 ACCPTED 2017-02-20 20:41:18
I think the answer is "it depends". There are also important security practices to follow if you don't go this route.
If you want every page on your site to be encrypted and don't want to allow any unencrypted web traffic, then 1 is a better setup; or the "only" setup that will achieve your goal (also, send an HSTS header for all https responses).
I have several sites that unconditionally send a 301 header for all URL's accessed over http and don't encounter issues. In 2017, all WiFi hotspots protected by paywalls shouldn't have a problem with HTTPS sites once the user is authenticated with the hotspot.
If you don't want to or can't encrypt every page (reasons could include limited resources, a caching layer, or some pages won't benefit from encryption), then it's fine to only require HTTPS for certain resources (login forms, checkout, payment forms, account management etc). Bear in mind security practices (any page that has a form on it should be served over HTTPS to prevent tampering with the form, and that you should link forms to https links).
If you want to encourage use of https without explicitly forcing it, you could allow unencrypted access to site pages, but internally, link everything to https. So if a person comes in on an http page, all the links point to https so whatever they click will encrypt the session for future visits (note, if you send HSTS headers here, the browser will always use https going forward).
So personally, I'd go with #1 - force https all around.
Here are some useful places to start reading:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.