Never serve a HTTPS enabled domain over HTTP

If your site remains accessible via HTTP then it becomes trivial for an attacker to downgrade requests to your website to plain HTTP and alter the site however they want. Once your user is on HTTPS you want to keep them there.

Usually a user session might proceed as follows:

  1. Browse website over HTTP
  2. Click a login link
  3. Sent to HTTPS version of website
  4. Login over HTTPS

If an attacker was in control of your connection (man in the middle) they could instead cause the following.

  1. Browse website over HTTP
  2. Attacker rewrites login link to HTTP they control
  3. Sent to HTTP login page
  4. Attacker collects user credentials then directs back to HTTPS page
  5. Attacker has credentials and user is unaware of any problem

The attacker can act as a silent proxy between the user and the website. Watching for any HTTPS links and then simply rewrite them to HTTP or even send the user to a website under the complete control of the attacker.

This completely removes the security offered by HTTPS.

If you have deployed HTTPS to your domain take these steps as a minimum to reduce downgrade attacks.

  1. The only response to a HTTP request should be 301 to HTTPS
  2. Deploy HSTS with long expiry to enable preload