Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I was asking myself, wether it would be okay to enforce HTTPS over normal HTTP, by 301 redirecting every HTTP request to its HTTPS counterpart.
Are there backwards compatibility issues (IE, I'm looking at you) or any other drawbacks? How do search engines handle this? Do you already have experience with this? What are your opinions?
Google themselves also enforce HTTPS, but not always. If you're sending an IE6/7 User-Agent header, you won't be redirected. Should I allow my users to use HTTP, if they want to?
The Electronic Frontier Foundation understandably advises users to always use HTTPS. Can I make that decision for my users and enforce HTTPS? Is there a reason to not use HTTP at all?
Enforcing HTTPS is becoming more and more common. We started using HTTPS where I worked previously (site had millions of hits per week) due to the fact that Firefox was assuming HTTPS if no protocol is defined, meaning users could type "websitename.com" and not find our website at all, as we only served over HTTP.
I'm sure there were SEO implications behind redirects, but I seem to recall that 301 was the suggested route. Definitely not 302.
Internet Explorer didn't give us any issues for 8, 9 or 10 - prior versions I couldn't say. Hopefully someone else here will know more regarding IE7. There is a link here which explains a few issues, though: http://msdn.microsoft.com/en-us/library/bb250503(v=vs.85).aspx
Honestly in this day an age, the number of people using browsers which do not handle HTTPS are likely to be few - it's such a standard now. My opinion is that we need to try and progress things rather than build things around that total minority who refuse to get with the times. Technology is about progress, after all.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I just wrote a rule in my .htaccess to redirect all HTTP traffic to HTTPS. It seems pretty common, but I was just wondering if that could have any negative effect. As far as I know it actually helps as far as SEO is concerned. Is there any scenario where a user wants non secure access, can't access a secured site or anything like that? Or am I missing something else besides SEO and accessibility?
There's a post about this on Server Fault. The consensus appears to be that this is a good idea.
This blog post covers some of the drawbacks. There's also this post from the Information Security Stack Exchange.
If you use AdSense, you might see a decrease in earnings due to the forced SSL compliance.
Your site may perform differently than it would using HTTP.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm now introducing CSP and other security-related http headers to the website that I work on. They all feel like a walk-in-the-part to introduce so no problem there...
I quickly investigated what sites where using what http headers. Surprisingly extremely few sites where using CSP. I checked out some banks login-pages, some big websites and some technology-driven websites (like stackoverflow). Facebook was the only site I could find that used CSP. Gmail only runs it in report-only mode.
For me it feels like a low-hanging fruit to just add these headers and get all the security benefits. I feel confused. Have I missed something? Why are not anyone using it? Is there some kind of drawback that I don't know about?
People from Google and Mozilla where editors of the W3C spec. So why aren't even they using it?
I don't want to provide a link-only answer, but I don't know a better way to answer than Why is CSP failing? Trends and Challenges in CSP Adoption. Maybe citing Section 3.4, Conclusions, will add some substance:
While some sites use CSP as an additional layer of protection against
content injection, CSP is not yet widely adopted. Furthermore, the
rules observed in the wild do not leverage the full benefits of CSP.
The majority of CSP-enabled websites were installations of phpMyAdmin,
which ships with a weak default policy. Other recent security headers
have gained far more traction than CSP, presumably due to their
relative ease of deployment. That only one site in the Alexa Top 10K
switched from report-only mode to enforcement during our measurement
suggests that CSP rules cannot be easily derived from collected
reports. It could potentially help adoption if policies could be
generated in an automated, or semi-automated, fashion.
Unofficially, (or maybe officially, since Neil Matatal is with the CSP working group), from Managing Content Security Policy:
CSP Level 1
2 years of study
could not remove inline scripts
FAIL
CSP Level 2
two weeks
managed risk with script nonces
SUCCESS
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Can I use XAMPP for real to serve to WWW, not just my localhost? I see some warnings in some articles on internet not to do that and that XAMPP is for testing only and that hackers will screw it up... If so, what kind of SPECIFIC security holes and problems does it have that is not secure to serve for real?
I don't want some lose answers. I want SPECIFIC answer about the security holes or weaknesses of XAMPP. Thanks!
This is not an answer, more a long comment.
Here be Dragons:
The issue with the 'out of the box' XAMPP setup is that all the passwords are defaults and everyone knows them. You need to change every password. If you are not using certain services then disable them if you don't want to bother changing the password.I disabled DAV for this reason. I use XAMPP as an internet facing server and never have bother. I am on version 1.7.7. been using it for years.
If you are using it on a 'home' network with dynamic ip. If you want a domain name then you need to use a service that provides support for your ip address changing regularly. i use 'dyn' but there are others.
As #Braders has commented. Security is a major issue! Get it wrong and your server will be used for all sorts of nasties, both to your pc and others on the internet. I would suggest an external scan for security issues before you leave it permanently connected to the internet.
I set my server up a few years ago and i am starting to remember all the checks i made at the time. It took many days before i could 'trust' it. Lots of time looking at the access logs etc.
If you are not sure then do not do it. It is very easy to get the setup wrong.
The major issue with running any server is that you are making 'holes' in the firewall and that can be 'interesting' as to what comes in.
As was also mentioned by Braders, you really do need to check with your internet provider to ensure it is allowed by your agreement.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I have been looking about the pros and cons of browsers specifically for security property. Please share if you know which browser is more secure than others and why it is so.
Each browser have different security features, vulnerability, maybe even NSA backdoors for some of them, at some point in time but... http://www.infosecurity-magazine.com/view/33645/there-is-no-single-most-secure-browser/
You might want to look here for additional insight : http://slashdot.org/story/13/06/23/0317243/ask-slashdot-most-secure-browser-in-an-age-of-surveillance
There is not web browser that is more secure than other in big margin, reason being is that most todays browsers use at most same standard. For example, usage of javascripts is allowed or disabled by default, tracking and sharing, your ip... Beacause this question does not have proper answer, here is example how to make web browser secure as much as possible if needed:
In this example I will use Mozilla Firefox.
First step is disabling javascripts in web browser (manually or by implementing some plugin to do that, for example "NoScript")
Disabling javascripts will disable viewing web pages properly or using them beacause almost any website today use javascripts. But we talk now about security.
Second step should be disabling tracking and sharing again, manually or by some plugin.
Third should be usage of some proxy server to hide your ip.
There is to many different things that could be done, also note again, javascripts, that are required for proper displaying page content and proper interaction with them on almost all modern websites, but can be big security hole, for example, session hijacking, forcing browser to get your geolocation and to many other things...
My reccomendation is to see first exactly, what you would like to protect, and then search on google how to do that.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I'm running a website that uses an SSH certificate. This leaves for potential CNames:
https: //example.com
https: //www.example.com
http: //example.com
http: //www.example.com
From an SEO perspective I understand that it's best to choose one and then set up 301 redirects.
Within Google Webmaster tools one may choose www. and non www. versions. I arbitrarily chose the non www. version. No particular reason.
I then came on this forum for some code on how to edit my htaccess file to redirect all URLs to http://example.com.
I wondered if there was a best practice here. Does choosing a non https version nullify the SSH? From a search perspective are either of the 4 versions better from an SEO standpoint?
Anyone have any experience of thoughts on which of the 4 to choose?
I presume that when you say “SSH” (Secure Shell), you mean “SSL” (Secure Sockets Layer).
“http:” means normal unencrypted insecure http. “https:” means http layered on top of SSL/TLS, which provides encryption and authentication of the website. So yes, using the non-https version means you don't get the security benefits of SSL.
SSL certificates are usually only valid for a single specific hostname. e.g. if your webserver has a certificate valid only for www.example.com, but someone tries to access https://example.com, they will get either an error message or a scary warning. A CNAME is not enough: you need a valid certificate for that name as well. So use the name specified in your certificate. (If, of course, you have paid extra for a certificate that is valid for both example.com and www.example.com, then you may choose between them. But as I probably know less than you about SEO I shall not advise which one is best.)