Disadvantages for redirect all HTTP requests to HTTPS

Hi all,

I have applied DigiCert Certificate on our web servers.  On some of our websites the https applied properly with green locker next to the URL.  However, on some others it doesn't, which i don't know why.  consiquently i had to apply the following redirection script to force the HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This works, but still i have to have port 80 open too.
I there any disadvantages of using this script above to force 443? Shall i keep it or it is better fix the root of the problem?

Who is Participating?
Anthony GarciaConnect With a Mentor Devops StaffCommented:
One thing that might help is using CSP reports. This can help you find errors like mixed content errors. If you have a page that is https, but there is a link in the content of your page that is http you will receive a mixed content error and not get the green lock. With CSP reporting implemented you can find which pages are doing this. You can also automatically upgrade all requests to https using this method.

Dave BaldwinFixer of ProblemsCommented:
You almost always need that script because there links out there that do not include the 'HTTPS', just 'HTTP'.  I have that on all of my sites that use 'HTTPS'.  It's the only way to force links from other sites to use the correct protocol.  Or even your own internal links.
On some of our websites the https applied properly with green locker next to the URL.  However, on some others it doesn't, which i don't know why.

This is generally due to an linked item on the page with a source url using "http".  These URLs will need to be changed to "https"
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

rawandnetAuthor Commented:
In response to Dave answer, if all setting are correct, there the page will be redirected to port 443 automatically if configured under ssl.conf file.  There is no need for redirect script.

Would you say there is no harm in term so Scurity or other askpect if I use redirect script, while still have both port open?
None, you'll be fine
You'll need port 80 open and configured with the redirects regardless. There are people who type "http://www.somesite.com".
http is less secure than https because the data that transits is plain text. it is a ( likely minor ) problem if folks send authentication information or post sensitive data on the http port. if they just type in http://www.whatever.tld in their browser and get redirected, it could hardly matter less.

assuming both http and https ports are redirected to the same web server running on the same server, opening an extra port hardly makes a difference either, and as stated above, you'll always have bookmarks from existing users, old cached web searches, and typo errors sending people to the http variant.

nevertheless, you may want to track the referrals of whatever arrives on the https port so you can at least fix your own links. this will also prevent triggering browser XSS securities in some cases ( ex: you use scripts to query data  using http from an https page and they get identified as coming from a different domain ). this should be feasible without much hassle using your access logs.
Dave BaldwinFixer of ProblemsCommented:
I have 7 sites using HTTPS and the redirect is required on all of them.  There isn't any automatic redirect because you have SSL/TLS installed.
rawandnetAuthor Commented:
Thanks you all
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.