0

In my scenario we currently have www3.example.com routing through a few different paths. Could you please advise how we should correct this to be a better approach, possibly just redirecting even?

"The HTTP site redirects users to a new URL in a way that cannot be secured with HTTPS and HSTS headers. This leaves users open to man-in-the-middle attackers who can redirect them to a fraudulent/ spoofed version of the intended site.

“Site Does Not Enforce HTTPS” issue type for more information regarding man-in-the-middle scenarios."

From "http://www3.example.com/, 301, https://example.com/"

we don't need that domain though so it'd best to just have it go directly to www.example.com rather than the reroutes either cname or load balancer came to mind.

What is the best way to accomplish this?

samtech
  • 11

1 Answers1

0

The best way is a simple 301 redirect from your HTTP site to the HTTPS site, preferably to the final destination.

So instead of doing:

HTTP(ww3) => HTTPS(ww3) => HTTPS (www)

Go direct with:

HTTP(ww3) => HTTPS (www)

By the very nature of HTTP, you can't secure it. Another approach is to drop the HTTP site altogether. However, you would lose traffic from search engines, and if you have customers who usually browse through that site, it will create a bad user experience. A 301 redirect is the best way to accomplish what you need.

On a separate note, I will advise that you review your HTTPS site's security. The Mozilla Observatory is a great place to start, as it will perform many checks for you. Other tools to check are the Security Headers site and the SSL tools lab.

Luis Alberto Barandiaran
  • 688