redirect HTTP to HTTPS?

[pdehaan]

via https://www.expeditedssl.com/simple-ssl-scanner/scan?target_domain=find.firefox.com

3 out of 5 Checks Passed

---

:-1: Redirects 'http' to 'https'

This is an optional requirement as your web application may or may not need to be fully SSL secured. You'll need to implement this in your application.

---

:-1: Site uses HSTS

HTTP Strict Transport Security (HSTS) is a HTTP response header that is set on your web application server. Supporting browsers read the header which contains an expiration max-age value and will NOT reconnect on a plain HTTP connection until the max-age value is exceeded. HSTS prevents a variety of attacks where an intermediary could disrupt or spoof connections.

More HSTS information at: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

See #270

[pdehaan]

/cc @oremj @jrconlin

[jaredhirsch]

Yeah, let's please redirect HTTP to HTTPS, see https://bugzilla.mozilla.org/show_bug.cgi?id=1050576

[oremj]

Are people going to this URL manually? If not, can we leave :80 turned off?

[jrconlin]

People may hit this manually. (logged off users, folks wanting to get their phones, the curious, etc.) We're working on a landing page for it.

If there are better auto-boot mechanisms to punt people to https, I'm all for doing that.

[jaredhirsch]

@oremj Yeah, see the Bugzilla bug for discussion - a couple of people have reported this problem already. All I'm referring to is needing to redirect http to https, not adding hsts headers.

[pdehaan]

Y'all keep arguing up in this bug and I'll split this bug right in two (one for HTTP redirect, one for HSTS).

[jaredhirsch]

@pdehaan do it

[pdehaan]

Done. Split HSTS discussion into #270 since the kvetching above seemed to be more centered around the HTTP to HTTPS topic. :heart:

[jrconlin]

Closed

https://bugzilla.mozilla.org/show_bug.cgi?id=1058805