how can i change my http sensitive pages to https while i don't now what is difference between http and https and how to do that
HTTPS is the secure version of HTTP:
traffic gets encrypted,
the user knows for sure that the site
he is talking to is the real deal
Depending on your webserver, you'll have to add support for HTTPS in the configuration file. For example, for the Apache Webserver, you need to edit use the mod_ssl module.
Related
I am making a self-hosted app, and I would like to require HTTPS since sensitive informations might be sent. How can I tell if client is using a secure connection ?
I could use javascript in the browser, but this wouldn't be secure (since an attacker could just bypass this)
The node server might be running as HTTP, but behind a secure nginx/apache proxy.
Optionnally, I would need to enforce this rule every time someone is making a request.
Well you can configure your web server so it redirects the user to the HTTPS url from a HTTP url. Apache htaccess is commonly used ensure that a website is accessible only over HTTPS. See this link for more information: http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess/#redirect-http-to-https
Most of the website which use https protocol to communicate have the HTTP port of the web server in open position. Is there any need for it to be left open ?
If the website serve https, it may leaves http open to redirect requests to https: Even if the websites use HSTS preloaded, older browsers may not be aware.
Links to the websites may be (wrongly) prefixed by http://
Users can write the domain name in the url (so the browser will prefix by http://)
There is few security advantage to close the http ports for an https only website.
I have a sdk and want to support both http and https, but browsers always force to https. I know that is good feature of browser but many websites using http could not use my sdk.
Does anyone know how I can prevent HSTS or a solution for this?
HSTS is activated only when the concerned website ask for it (or when the user add the website manually to his browser). So if HSTS is enable, it's because the website support https (HSTS header is only valid when set on a secure https response).
If the website doesn't provide http you can't force it. (and when using HSTS, all http request bypassing HSTS will probably get a redirect to https as an answer)
Note that if the HSTS header have the 'includeSubdomains' options, it will force https for all subdomains, even if they don't support https.
Last point : HSTS (and HTTPS) is a security feature, it's probably a bad idea to try disable it.
I am writing a NodeJs application. I need to secure(https) only the login page. Home page should be non-secure(http).
If my domain is www.example.com,
If a http://www.example.com request come it should be redirect to https://www.example.com (secure https)
After user successfully login to the system it should go to the http://www.example.com/home url. not the https://www.example.com/home
When user login out it should be redirect to https://www.example.com (secure https)
Please give me some help for achieve this. or If you have come a cross this king of live situation please let me know.
I would recommend setting up a web server in front of your node app such as nginx or Apache. With nginx for example, you can do a ProxyPass as outlined as in this answer: https://stackoverflow.com/a/10375750/760297
You can then add rules to redirect people to HTTPS or HTTP based on their current path via server configurations and keep your app all one protocol. This reduces the overhead on node and your development.
Say I have an url that is served over HTTPS, but in my .htaccess I rewrite proxy it to another domain that is on the same server like so:
RewriteRule /https-url/(.*) http://www.somesite.com/$1 [P,L]
Is this a secure situation? I would assume it is, because the browser is communicating with an SSL secured url and the rewriting is done on the server where nobody can interfere.
EDIT: I just went on and tried it. It works just fine, you can just redirect people to https if they approach the http url directly. This has also saved me some money since I only had to buy an SSL certificate for one domain.
If www.somesite.com is hosted on the same server that the rule is being applied on, then it's network traffic is never leaving the server. That means a 3rd party not on the server won't be able to "eavesdrop" the contents of the request and response (or masquerade as a trusted party) so it doesn't matter if it's unencrypted. The assumption here is that if someone can get access to this traffic, they've already compromised the server so the reverse proxy may be the least of your worries.