0

I have a web application running on AWS EC2 using a load balancer which only listens for HTTPS requests on port 443 along with a security group which only allows for traffic on port 443 so my application cannot be reached via HTTP (as far as I am aware).

The application has recently been pen tested which resulted in the recommendation to implement HSTS. From what I can see one of the requirements for implementing HSTS is to redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect. Upon trying to do this through another listener on the load balancer redirecting traffic from port 80 to port 443 I get a warning that the security group attached "does not allow traffic on this listener port."

My question is should I consider enabling HTTP traffic so that I can implement the permanent redirect and then implement HSTS or am I better off leaving things the way they are? I'm inclined to think that because my load balancer does not allow HTTP traffic that I'm better off leaving my current set up as is but not 100% sure. Can anyone explain which is the safer option and why? Thanks in advance.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
FrostyOnion
  • 856
  • 7
  • 10
  • Allowing HTTP would only weaken your security. From what I can see there is nothing about HSTS which requires you to ever enable HTTP. At the server side you're already doing the right thing by *only* enabling HTTPS. HSTS allows the server to tell the client to also *only* use HTTPS. It's the best you can do without writing your own custom web client. – President James K. Polk Oct 21 '20 at 00:38
  • There may be scenarios when it *is* advisable to enable a HTTP server on port 80 and use HSTS to redirect subsequent request to HTTPS. If for some reason clients are attempting to connect with HTTP to port 80 then they are vulnerable, whether or not you are listening on port 80. This is because the man-in-the-middle can be listening on port 80 even if you aren't. The most likely reason clients may try to connect on port 80 is because you used to have an HTTP service, and clients still have bookmarks, old emails, etc. with the old HTTP urls. In that case, it *may* be wise to open port 80 – President James K. Polk Oct 21 '20 at 00:51

1 Answers1

0

It totally depends on whether you want to allow and redirect HTTP traffic to HTTPS. For example if it's a user facing application then generally HTTP traffic allowed at gateway/load balancer and then redirected to HTTPS as end user shouldn't get any error on accessing on HTTP. Then in this case HSTS header plays important role.

But it's not end-user facing application and you know consuming entity will always access using HTTPS then don't allow HTTP traffic. So here you won't need to have HSTS header set.

Rushikesh
  • 222
  • 1
  • 1