Enforcing HTTPS is a lot harder than most people make it seem
So, lemme break this down into the 7 (yes 7!) different things you are gonna need to have configured to meet the requirement in the top paragraph:
- create the unencrypted “origin” service
- create a load balancer, CDN or other service to answer inbound encrypted requests. If you are going to do this all on one server it’s harder to get this all right.
- create a valid certificate for the encrypted endpoint whether that’s on an origin server, load-balancer, CDN, etc
- redirect requests from port 80 to 443 preferably at a load-balancer. If you do this on a server, make sure that you are redirecting all inbound HTTP to HTTPS.
- if you are using a load-balancer or CDN make sure that you firewall the origin server or service so that clients can’t connect directly to it and bypass the control.
- check that all links (especially external links!) in your app or website are using HTTPS (ie., https://cdn.google.com/images/profile_pic.jpg)
- enable HSTS which will *enforce* the “https://” part which means that if you haven’t ticked the box in #5 above you will get a HTTP error
See, not so easy! Unfortunately, many security frameworks gloss over this complexity so the people actually implementing the control aren’t aware of how complex it is to “serve HTTPS exclusively”.
How do I enforce HTTPS?
Enforcing HTTPS is harder than it sounds and most software engineers don’t realize the complexity
,
SecureStack provides security coverage across the whole of your SDLC
Our platform helps you protect your most valuable asset: Your source code.
SecureStack is easy to use as it’s a SaaS-based platform so you can be up and running in less than 3 minutes with complete coverage.
Paul McCarty
Founder of SecureStack
DevSecOps evangelist, entrepreneur, father of 3 and snowboarder
Forbes Top 20 Cyber Startups to Watch in 2021!
Mentioned in KuppingerCole's Leadership Compass for Software Supply Chain Security!