Ad

What Is The Advantage Of 2-redirect HSTS Instead Of 1-redirect HSTS

- 1 answer

https://hstspreload.org/ suggests that there should be 2 redirects with :

  1. http://yourdomain.com to https://yourdomain.com

  2. https://yourdomain.com to https://www.yourdomain.com

I implemented the 2 redirect solution using below code in .htaccess file :

RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

But I am wondering about losing advantage of this single redirect rule that I was using earlier :

RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]

So now I am confused, should I use the 2 redirects implementation for forcing https over the single redirect solution?

What are the pros and cons of using single vs double redirect for security and SEO.

Also I have already added HSTS header using this in .htaccess:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

So should I need to submit to HSTS preload list to have HSTS implementation or adding the above headers is enough?

Ad

Answer

If you go direct in one step:

http://example.com => https://www.example.com

Then you will never pick up the HSTS policy for https://example.com as you never visited that bare domain over https. This is because example.com is common to use (and which would default to http://) but https://example.com is rare for www sites to use.

This has two issues:

  1. It’s less secure as only your www domain is protected. If an attacker managed to MITM traffic on http://example.com then they could overwrite cookies on https://www.example.com for example.
  2. It is more dangerous to preload a domain if the HSTS policy has not been widely used on the bare domain, because you might think everything is working and then preload and then discover a site that does not work over HTTPS (e.g. http://blog.example.com or http://intranet.example.com or even http://dev.example.com) and it is very difficult (basically impossible?) to revert preload (which is the main reason I don’t like and don’t recommend it except for high profile sites).

So recommendation is to do this double redirect to have a better chance to pick up this domain. This is especially true for users who use your bare domain rather than using your preferred www version.

An alternative to the double redirect would be to load a resource from the bare domain in your home page. For example:

<img src=“https://example.com/1pixel.png”>

This will ensure the HSTS policy for the bare domain is loaded and in fact is better than the double redirect as it will also pick up this policy if you go direct to http://www.example.com or https://www.example.com.

As far as SEO and performance goes it won’t really make that much difference to be honest. There will be a slight performance impact of the double redirect and potentially some diluted “SEO juice” but I presume most people will be linking you as your preferred domain (https://www.example.com) rather than the bare domain and redirects are a standard part of the internet and are fairly quick to process.

Also I have already added HSTS header using this in .htaccess:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

So should I need to submit to HSTS preload list to have HSTS implementation or adding the above headers is enough?

I would strongly advise NOT submitting to the preload list and also removing the preload attribute from your your header (so no one can submit your site for you). As stated above preload is basically irreversible so you need pretty confident that’s what you want.

It is true the internet is moving to HTTPS so it should be fairly safe to do this assuming you only need to access your site and every site under that domain over HTTPS, but you’d be surprised how many people have discovered that actually they had a site (or sites) under that domain that do still require HTTP. If you only discover these after preload then you’re only choice us to migrate all those HTTP sites to HTTPS or they will remain unavailable to users after their browser’s get your preload instructions.

If you see no issues after a few weeks or months of running with the HTTP Header (ideally with the pixel trick mentioned above) then you may wish to consider preload then. But honestly I think it’s overkill for most sites. See my post here for more info as to some of the reasoning why I have this (somewhat controversial) opinion: https://www.tunetheweb.com/blog/

Ad
source: stackoverflow.com
Ad