How to enforce HTTPS on your web application

How to enforce HTTPS on your web application

Enforcing HTTPS is a lot harder than most people make it seem

So, lemme break this down into the 7 (yes 7!) different things you are gonna need to have configured to meet the requirement in the top paragraph:

  1. create the unencrypted “origin” service
  2. create a load balancer, CDN or other service to answer inbound encrypted requests.  If you are going to do this all on one server it’s harder to get this all right.
  3. create a valid certificate for the encrypted endpoint whether that’s on an origin server, load-balancer, CDN, etc
  4. redirect requests from port 80 to 443 preferably at a load-balancer.  If you do this on a server, make sure that you are redirecting all inbound HTTP to HTTPS.
  5. if you are using a load-balancer or CDN make sure that you firewall the origin server or service so that clients can’t connect directly to it and bypass the control.
  6. check that all links (especially external links!) in your app or website are using HTTPS (ie., https://cdn.google.com/images/profile_pic.jpg)
  7. enable HSTS which will *enforce* the “https://” part which means that if you haven’t ticked the box in #5 above you will get a HTTP error

See, not so easy!  Unfortunately, many security frameworks gloss over this complexity so the people actually implementing the control aren’t aware of how complex it is to “serve HTTPS exclusively”.

 

developer-logo

How do I enforce HTTPS?

Enforcing HTTPS is harder than it sounds and most software engineers don’t realize the complexity

,

complete-security-coverage-startups

SecureStack provides security coverage across the whole of your SDLC

Our platform helps you protect your most valuable asset:  Your source code.

SecureStack is easy to use as it’s a SaaS-based platform so you can be up and running in less than 3 minutes with complete coverage.

 

If you like what you see, book a demo!

 

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 

Black Friday Sale!

Get 50% off a subscription through December 2nd!

Create a free trial account at https://securestack.com/social-intro/ and when you are ready add a subscription in the Profile section of the app.

Check out the video to the left which describes how to create an account and how to setup your first managed application with SecureStack.  Once your account has been created you can to to the Profile section on the left drawer and choose a subscription type.  Finally, you can add the discount code to the subscription on checkout. Reach out to us at support@securestack.com with any questions.

50% off a Starter or Pro subscription for 3 months with code: BLACKFRIDAY22SUB!
–OR–
FREE mini-assessment of source code, AWS and web assets with code: BLACKFRIDAY22MINI!
Deal valid: November 24th to December 2nd, 2022