search

alistapart / AListApart

The A List Apart front end repo
http://alistapart.com/
MIT License
671 stars 68 forks source link

TLS/HTTPS is not forced on alistapart.com #417

Closed AdamMadrzejewski closed 6 years ago

AdamMadrzejewski commented 6 years ago

All web pages can be accessed on http:// but also https://. I think redirection to https:// should be forced.

IanOliver commented 6 years ago

I've just done a quick test in both Chrome and Firefox. It seems that for both browsers:

www.alistapart.com forwards to https://alistapart.com alistapart.com does not forward to https://alistapart.com

In Firefox, once the www. version is visited and forwarded to HTTPS with a 301, the non-www is then also forwarded to HTTPS.

However, in Chrome, even after the www. version is visited and forwarded to HTTPS, going back to the non-www. version gets you back to a non-HTTPS version of the site.

This is a bit bizarre, since it looks like the site is served via Cloudflare. I'm guessing either 'always use HTTPS' is not properly enabled or something isn't quite right with the DNS settings (orange cloud not on for both www. and non-www.?)

malchata commented 6 years ago

I would recommend enforcing this through HSTS. This would a) Enforce HTTPS with little effort, and b) improve performance for repeat visits, as the redirect for HSTS is internal to the browser and doesn't involve a network round trip like a 301 might (assuming that 301 is uncached).

We could also add the domain to the HSTS preload list. I'll take this to the team and see what can be done, but I think this is a valid concern. I'll chase it up.

IanOliver commented 6 years ago

Agreed, HSTS would be the best long-term solution.

Though 301 forwarding would still need to be in place for browsers/HTTP clients that don't support HSTS.

malchata commented 6 years ago

Assuming HSTS with no preload, A 301 redirect scheme needs to be in place regardless for HSTS to take effect, but once the redirect has occurred once for a client, HSTS then takes effect. But I'm splitting hairs. We still need both. :)

malchata commented 6 years ago

This should be fixed now. We're waiting to add HSTS after we verify a few things, but HTTPS redirects should work in both instances.

IanOliver commented 6 years ago

Thanks @malchata, I can confirm I'm now getting a 301 to https://alistapart.com from both www and non-www in Chrome now.

malchata commented 6 years ago

Great! Closing this issue for now. We may may a separate ticket for HSTS in the future.