Redirect from http://example.org to https://www.example.org directly or not?

Simply: Should I redirect

http://example.org -> https://www.example.org

http://example.org -> https://example.org -> https://www.example.org

http://example.org -> http://www.example.org -> https://www.example.org

Does it matter? Im' using HSTS.

Solution 1:

You should use the minimum number of redirects as much as possible.

However when using HSTS do:

http://example.org -> https://example.org -> https://www.example.org

It’s important to note that the HSTS policy only applies for the host (domain) that sends the Strict-Transport-Security header. If https://example.org sends the header, the policy applies only to example.org, not to www.example.org. Thus access to www.example.org will not result in a secure redirect to HTTPS; it will merely hit the server side redirect, if configured, which is not secure.

That is, https://example.org and https://www.example.org do not set HSTS for each other.

This question is answered from the perspective of avoiding redirects but respect HSTS security when redirecting cross-domains.

Solution 2:

Generally, I would say use as few redirects as possible, but depending on your HSTS policy, the second option (where you first go to the same domain name with HTTPS; http://example.org -> https://example.org -> https://www.example.org) may be the appropriate option.

The reasoning here is that you really want clients to stop making that initial hijackable HTTP connection, as that's the whole point of HSTS.
However, if you send them cross-domain when you redirect them to HTTPS, they will only get an HSTS entry for the domain of the redirect target; they will still happily make more HTTP connections for the original domain (and get redirected each time), leaving them vulnerable to hijacking each time they do HTTP.