• @baatliwala
      link
      English
      321 year ago

      Funniest thing I’ve ever seen is the docs for Nginx do the same, no http to https redirection. I mean, you would hope that the maintainers for the biggest web server in the world would be able to manage that but somehow… No they don’t.

      • @[email protected]
        link
        fedilink
        English
        91 year ago

        server serves a protocol on a port. I would rather it not include logic like that. turn off the http port of you don’t want to serve http.

        • @[email protected]
          link
          fedilink
          English
          141 year ago

          HSTS + HTTPS redirect is the answer. It’s industry standard for a reason: it’s just as safe as pure HTTPS since you can’t get anything other than a redirect over HTTP, and HSTS protects your users from future attempted MITM attacks. The MDN page for HSTS explains it all very clearly.

          Any other implementation is an immediate audit fail in my experience.

          There’s no tangible security benefit to fully disabling port 80, and if anything depending on the service it may just drive users away to shadier alternatives.

        • @baatliwala
          link
          English
          101 year ago

          that would mean anyone going to http:// will perceive as the server being down so what you are saying will not work in practice

        • Lexi Sneptaur
          link
          fedilink
          English
          31 year ago

          So if this site has both HTTPS and HTTP versions, and it’s just Shakespeare, does it matter that much? I figure not which is why it’s not auto redirecting

      • @[email protected]
        link
        fedilink
        English
        141 year ago

        SSL (or TLS nowadays) not only protects against surveillance but also guarantees the integrity of the data you send and receive. Without it, someone could spoof the response you receive. In practice this means injecting ads or malware or even worse: fake shakespeare!

        • Flying Squid
          link
          English
          81 year ago

          According to some, all Shakespeare is fake Shakespeare.

        • @SocialMediaRefugee
          link
          English
          21 year ago

          It is brutal how few people know how to implement it and how apps all seem to have their own ways of doing it. I have to keep notes for the quirks of every damn app/OS I work with that uses SSL/TLS.

    • 👁️👄👁️
      link
      fedilink
      English
      8
      edit-2
      1 year ago

      If you are using Firefox, enable https everywhere setting and it fixes stuff like that

      It will only give an error if there’s no https version that exists

        • kamenLady.
          link
          English
          31 year ago

          They said to use the setting, nothing about extensions though.

    • @SocialMediaRefugee
      link
      English
      01 year ago

      Don’t you just need to toss an “.htaccess” file in the root?

      • John Richard
        link
        English
        -11 year ago

        No, an .htaccess file is specific to Apache HTTP Server… although some other web servers have integrated the format. However, most browsers now automatically redirect when an HTTPS version exists.