Secure first HTTP request

Question

I'm building Web site, and wondering how I can assure that it is secure if first request is made by HTTP. HSTS do this but partially.

I think not opening HTTP port solve this problem. But is this standard? My site is B to B, so SEO is not problem. Users directly access my addresses, but assume possible with HTTP. Any idea?

You could have another website open on port 80 that only redirects to the secure version of the website. — Dai, Sep 15 '15 at 23:19

Tom · Accepted Answer · 2015-09-17T18:51:18.687

Short answer :

Use HSTS Preload : https://hstspreload.appspot.com/
On https, always sent the HSTS header
On http, always sent a 301 redirect to https

It will protect your visitors even for the first visit thanks to the preload : browsers will know your domain must be contacted only with https even before the first contact (it will be in their source code, see https://github.com/ssllabs/research/wiki/Preload-Lists ).

(and of course, keep your 301 redirect http=>https)

Why closing the port 80 is not a good idea ? Let's see the two options :

Options with HSTS and the port 80 closed :

First visit on http://example.com : Nothing happens
subsequent visits on http://example.com : Nothing happens
First visit on https://example.com : User is secure and HSTS is kept
subsequent visits on http://example.com or https://example.com : User is secure (visits on http gets redirected thanks to HSTS)

In case of an attack :

First visit on http://example.com : Get hacked (the hacker can forge an answer even if your server doesn't respond)
subsequent visits on http://example.com : Get hacked too (the user can be tricked to click on an http link to your website)
First visit on https://example.com : User is secure
subsequent visits on http://example.com or https://example.com : User is secure (visits on http gets redirected thanks to HSTS)

Options with HSTS and the port 80 open :

First visit** on http://example.com : 301 redirect to https (and then gets HSTS)
subsequent visits on http://example.com : User is securely redirect to https (thanks to HSTS)
First visit on https://example.com : User is secure and HSTS is kept
subsequent visits on http://example.com or https://example.com : User is secure (visits on http gets redirected thanks to HSTS)

In case of an attack :

First visit on http://example.com : Get hacked
subsequent visits on http://example.com : User is securely redirect to https (thanks to HSTS)
First visit on https://example.com : User is secure and HSTS is kept
subsequent visits on http://example.com or https://example.com : User is secure (visits on http gets redirected thanks to HSTS)

As you can see, opening the port 80 to answer a 301 redirect to https can improve a little the security (and closing it will not improve it, and will probably confused your visitors)

I think that if I close 80 port, request body will not be sent. So secure. If I use redirect, the first request of the first visit will be exposed. — pandora2000, Sep 17 '15 at 07:01
I've detailed my answer. As you can see, if you close the port 80, the user will still be vulnerable on the first http visit (is his browsers doesn't have your website in his HSTS preload list), but worst, the next visits will be vulnerable. With a 301 redirect, if at least one request is not hacked, then the user will be secure and the hacked screwed ;) — Tom, Sep 17 '15 at 18:54

score -1 · Answer 2 · answered Sep 15 '15 at 23:19

-1

I would suggest a firewall redirect rule that changes http to https.

answered Sep 15 '15 at 23:19

John Wu

50,556
8
44
80

If your user types in `http://YourSite/login.aspx`, (s)he will be immediately redirected to `https://YourSite/login.aspx`. From that point if (s)he types in credentials they will be sent over SSL. – John Wu Sep 16 '15 at 00:11
I care about first request – pandora2000 Sep 17 '15 at 06:59
Are we talking about a web service here? In that case yes it is OK and not at all uncommon to close port 80. If you're talking about a web site, I do not understand what it is you think you are protecting. Do your users literally type sensitive information into the address bar, and you're worried they won't remember to use https? If that is the case I would revisit that design as it contains other security problems. – John Wu Sep 17 '15 at 14:40

Secure first HTTP request

2 Answers2