Regarding https, one thing I like to do on my personal websites is listen if the client actually wants to upgrade protocols instead of forcing https on everyone.
set $need_http_upgrade "$https$http_upgrade_insecure_requests";
location / {
if ($need_http_upgrade = "1") {
add_header Vary Upgrade-Insecure-Requests;
return 301 https://$host$request_uri;
}
index index.php index.html;
try_files $uri $uri/ /index.php?$query_string;
}
Its pretty straightforward to do in nginx, and my websites remain usable in IE5, Contiki, various feature phones.
This has enabled man in the middle attacks even for clients that want to upgrade protocols. An ISP or owner of the Wi-Fi network can just quietly drop all upgrade security headers.
One other trick to do this is include a https resource (image/CSS/JS) in the http page, and on https use the HTTP header that forces https for the domain. So then if the resource loads successfully, future loads of the site go to https. Browsers that don't support Upgrade-Insecure-Requests often support the https-only header.
Don’t do this. What if something strips the header between the client and your server? Always upgrade to HTTPS. Not doing so isn’t worth supporting 25 year old browsers
That depends what your website is. If it's for some commercial or sensitive thing then yeah, just HTTPS is okay. But if it's something of yours (and isn't just done to get you hired) then the downsides of HTTPS-only outweight the benefits. HTTP+HTTPS is perfect for human persons even if it's not for corporate persons.
You're basically making it so that people can only visit your site if a third party corporation wants to maintain an account with you. There are benign organizations like LetsEncrypt but it still means giving up control to an entity that will eventually go bad. Just look at what happened to dot Org.
And of course you prevent even moderately old systems from interacting with your web server. Depending on your accepted TLS cypher set you're probably excluding software from as late as 2017 by going HTTPs only.
It's like wearing level 3 body armor when you go out to the park to walk to the dog. There are some people who have lives where that's necessary, but it really isn't for most. And the downsides outweigh the admittedly very safe protection.
> You're basically making it so that people can only visit your site if a third party corporation wants to maintain an account with you.
I don’t know about you but people can only visit my site if a “third party” maintains an account with me… and that third party is my ISP.
The web, even self hosted sites, isn’t some direct person to person contact network. It relies on a wealth of protocols and a community backing it.
Now to be fair, I do upgrade everyone but I don’t do so because of security concerns.I do it because the protocol inconsistency occasionally shows up in my logs, and sometimes browsers block APIs based on if you are HTTPS or not. It’s be nice if they didn’t but browsers are yet another third party in between my severs and my end user.
> What if something strips the header between the client and your server?
Then that something would would equally likely intercept your initial HTTP request and serve you a TLS stripped version of the website.
The real solution to this problem is for browsers to never implicitly make plaintext HTTP requests via the address bar. In general, they have become too clever in intepreting the content of the address bar. Firefox, for example, will gladly change the name and try a variety of protocols of the sort-of-address I'm requesting if it doesn't get a response to its initial request. I don't know if it's the case still, but it even used to blindly append ".com" to the name you entered in some cases, going so far as request an entirely different domain.
I don't know what name will be resolved or what protocol will be used, and it may depend on network conditions (for example, Firefox will add "www." to the URL if the server happens to be down the moment I request it).
This makes the address bar unpredictable, unreliable and unsafe. It is beyond me why it has been made such a complex problem. I guess it's more forgiving? I am wary of software that so readily trades security for convenience.
Reading the article, I was just thinking there should have been an Accept-Protocol header, but now I see that a limited version of that exists as Upgrade-Insecure-Requests.
