Disadvantages for redirect all HTTP requests to HTTPS

Hi all,

I have applied DigiCert Certificate on our web servers.  On some of our websites the https applied properly with green locker next to the URL.  However, on some others it doesn't, which i don't know why.  consiquently i had to apply the following redirection script to force the HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This works, but still i have to have port 80 open too.
I there any disadvantages of using this script above to force 443? Shall i keep it or it is better fix the root of the problem?

Thanks
rawandnetAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
You almost always need that script because there links out there that do not include the 'HTTPS', just 'HTTP'.  I have that on all of my sites that use 'HTTPS'.  It's the only way to force links from other sites to use the correct protocol.  Or even your own internal links.
0
kenfcampCommented:
On some of our websites the https applied properly with green locker next to the URL.  However, on some others it doesn't, which i don't know why.

This is generally due to an linked item on the page with a source url using "http".  These URLs will need to be changed to "https"
0
rawandnetAuthor Commented:
In response to Dave answer, if all setting are correct, there the page will be redirected to port 443 automatically if configured under ssl.conf file.  There is no need for redirect script.

Would you say there is no harm in term so Scurity or other askpect if I use redirect script, while still have both port open?
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

kenfcampCommented:
None, you'll be fine
0
kenfcampCommented:
You'll need port 80 open and configured with the redirects regardless. There are people who type "http://www.somesite.com".
0
skullnobrainsCommented:
http is less secure than https because the data that transits is plain text. it is a ( likely minor ) problem if folks send authentication information or post sensitive data on the http port. if they just type in http://www.whatever.tld in their browser and get redirected, it could hardly matter less.

assuming both http and https ports are redirected to the same web server running on the same server, opening an extra port hardly makes a difference either, and as stated above, you'll always have bookmarks from existing users, old cached web searches, and typo errors sending people to the http variant.

nevertheless, you may want to track the referrals of whatever arrives on the https port so you can at least fix your own links. this will also prevent triggering browser XSS securities in some cases ( ex: you use scripts to query data  using http from an https page and they get identified as coming from a different domain ). this should be feasible without much hassle using your access logs.
0
Dave BaldwinFixer of ProblemsCommented:
I have 7 sites using HTTPS and the redirect is required on all of them.  There isn't any automatic redirect because you have SSL/TLS installed.
1
Anthony GarciaDevops StaffCommented:
One thing that might help is using CSP reports. This can help you find errors like mixed content errors. If you have a page that is https, but there is a link in the content of your page that is http you will receive a mixed content error and not get the green lock. With CSP reporting implemented you can find which pages are doing this. You can also automatically upgrade all requests to https using this method.

https://scotthelme.co.uk/migrating-from-http-to-https-ease-the-pain-with-csp-and-hsts/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rawandnetAuthor Commented:
Thanks you all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.