Is it bad to redirect http to https?
The [R]
flag on its own is a 302
redirection (Moved Temporarily
). If you really want people using the HTTPS version of your site (hint: you do), then you should be using [R=301]
for a permanent redirect:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
A 301
keeps all your google-fu and hard-earned pageranks intact. Make sure mod_rewrite
is enabled:
a2enmod rewrite
To answer your exact question:
Is it bad to redirect http to https?
Hell no. It's very good.
Whilst I support the idea of SSL only sites, I would say one drawback is overheads depending on your site design. I mean for example if you are serving lots of individual images in img tags, this could cause your site to run a lot slower. I would advise anyone using SSL only servers to make sure they work on the following.
- Check the entire site for internal links and ensure they are all using HTTPS if you specific your own domain name in links, so you are not causing your own redirects.
- Update your
<meta property="og:url"
to using the https version of your domain. - If you use
<base href=
again update to use HTTPS. - Install SPDY protocol if possible
- Make sure to use CSS Image sprites where possible, to reduce numbers of request.
- Update your sitemaps to indicate https status, so spiders over time learn this change.
- Change Search Engine preferences like Google Webmaster Tools to prefer HTTPS
- Where possible off-load any stactic media to HTTPS CDN servers.
If the above is addressed, then I doubt you will have many issues.
I you've set up https then you should use it everywhere on the site. You will avoid the risk of mixed content issues and if you have the required tools in place, why not make the entire site secure?
Regarding redirection from http to https the answer is not that simple.
Redirecting will make it a lot easier for your users, they just type in whateversite.com and gets redirected to https.
But. What if the user is sometimes on an unsecure network (or is close to Troy Hunt and his Pineapple)? Then the user will request http://whateversite.com out of old habit. That is http. That can be compromised. The redirect could point to https://whateversite.com.some.infrastructure.long.strange.url.hacker.org. To an ordinary user it would look quite legit. But the traffic can be intercepted.
So we have two competing requirements here: To be user friendly and be secure. Fortunately, there is a remedy called the HSTS header. With it you can enable the redirect. The browser will move over to the secure site, but thanks to the HSTS header also remember it. When the user types in whateversite.com sitting on that unsecure network, the browser will go to https right away, without jumping through the redirect over http. Unless you deal with very sensitive data, I think that's a fair tradeoff between security and usability for most sites. (When I recently set up an application handling medical records I went all https without a redirect). Unfortunately Internet Explorer has no support for HSTS (source), so if your target audience is mostly using IE and the data is sensitive you might want to disable redirects.
So if you're not targetting IE users, go ahead and use redirect, but enable the HSTS header as well.
There's nothing wrong with this, and in fact it's best practice (for sites that should be served over a secure connection). In fact, what you're doing is pretty similar to the configuration I'm using:
<VirtualHost 10.2.3.40:80>
ServerAdmin [email protected]
ServerName secure.example.com
RedirectMatch 301 (.*) https://secure.example.com$1
</VirtualHost>
# Insert 10.2.3.40:443 virtual host here :)
The 301
status code indicates a permanent redirect, instructing capable clients to use the secure URL for future connections (e.g. update the bookmark).
If you'll only be serving the site over TLS/SSL, I'd recommend a further directive to enable HTTP Strict Transport Security (HSTS) in your secure virtual host:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=1234; includeSubdomains"
</IfModule>
This header instructs capable clients (most of them these days, I believe) that they should only use HTTPS with the provided domain (secure.example.com
, in this case) for the next 1234
seconds. The ; includeSubdomains
portion is optional and indicates that the directive applies not just to the current domain, but any under it (e.g. alpha.secure.example.com
). Note that the HSTS header is only accepted by browsers when served over an SSL/TLS connection!
To test your server configuration against current best practice, a good free resource is Qualys' SSL Server Test service; I'd be aiming to score at least an A- (you can't get more than that with Apache 2.2 due to the lack of support for elliptic curve cryptography).