Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it protocol at this point to always redirect from HTTP to HTTPS? Is there an RFC for that?


It's part of the HSTS spec that a server receiving a request over HTTP should redirect to HTTPS.

I assume the logic here is that as it's best practice for any site with HTTPS to use HSTS also, all HTTPS sites should not be available over HTTP apart from a redirect to the secure version of the page.


Not yet, as there was a bit of an argument in the HTTP/2 WG about that.

I may suggest a SHOULD NOT again, however.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: