• baatliwala@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    ·
    1 year ago

    Funniest thing I’ve ever seen is the docs for Nginx do the same, no http to https redirection. I mean, you would hope that the maintainers for the biggest web server in the world would be able to manage that but somehow… No they don’t.

    • gatelike@feddit.de
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      server serves a protocol on a port. I would rather it not include logic like that. turn off the http port of you don’t want to serve http.

      • azertyfun@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        13
        ·
        1 year ago

        HSTS + HTTPS redirect is the answer. It’s industry standard for a reason: it’s just as safe as pure HTTPS since you can’t get anything other than a redirect over HTTP, and HSTS protects your users from future attempted MITM attacks. The MDN page for HSTS explains it all very clearly.

        Any other implementation is an immediate audit fail in my experience.

        There’s no tangible security benefit to fully disabling port 80, and if anything depending on the service it may just drive users away to shadier alternatives.

      • baatliwala@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        2
        ·
        1 year ago

        that would mean anyone going to http:// will perceive as the server being down so what you are saying will not work in practice