Enforcing HTTPS is a lot harder than most people make it seem
So, lemme break this down into the 7 (yes 7!) different things you are gonna need to have configured to meet the requirement in the top paragraph:
- create the unencrypted “origin” service
- create a load balancer, CDN or other service to answer inbound encrypted requests. If you are going to do this all on one server it’s harder to get this all right.
- create a valid certificate for the encrypted endpoint whether that’s on an origin server, load-balancer, CDN, etc
- redirect requests from port 80 to 443 preferably at a load-balancer. If you do this on a server, make sure that you are redirecting all inbound HTTP to HTTPS.
- if you are using a load-balancer or CDN make sure that you firewall the origin server or service so that clients can’t connect directly to it and bypass the control.
- check that all links (especially external links!) in your app or website are using HTTPS (ie., https://cdn.google.com/images/profile_pic.jpg)
- enable HSTS which will *enforce* the “https://” part which means that if you haven’t ticked the box in #5 above you will get a HTTP error
See, not so easy! Unfortunately, many security frameworks gloss over this complexity so the people actually implementing the control aren’t aware of how complex it is to “serve HTTPS exclusively”.