Hacker News new | past | comments | ask | show | jobs | submit login

Redirecting to HTTPS is heavily encouraged by the HSTS spec.[1] Clients are just as easily man-in-the-middled if you refuse connections on port 80. The middleman can connect to your HTTPS and use it to send valid (though maliciously corrupted) HTTP responses to the client.

There's only one way to ensure clients aren't MitM'ed on first connect: Go to https://hstspreload.appspot.com/ and submit your site to Chrome's HSTS preload list. Firefox slurps Chrome's list from time to time. The lists are shipped with browser updates, so the whole process takes months.

1. http://tools.ietf.org/html/rfc6797#section-7.2




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: