A link redirect to http instead of https: how critical is it?How secure is HTTP / HTTPS over 3G?Javascript http to https redirect - how vulnerable/how secure?Actually, isn't it bad to redirect http to https?Why do browsers default to http: and not https: for typed in URLs?OAuth 2.0 client side redirect instead of HTTP redirectIs an HTTP 301 redirect to HTTPS, insecure?Bypassing HTTP to HTTPS cached 301 redirect to use SSLstripDoes HTTP redirect to HTTPS automatically?Does hosting an http->https redirect let http basic auth leak?Is it ok to send plain text credentials in a XHR GET request?

how to write formula in word in latex

Is it true that good novels will automatically sell themselves on Amazon (and so on) and there is no need for one to waste time promoting?

Life insurance that covers only simultaneous/dual deaths

How to simplify this time periods definition interface?

Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?

Can I use USB data pins as power source

A sequence that has integer values for prime indexes only:

Why do Australian milk farmers need to protest supermarkets' milk price?

Official degrees of earth’s rotation per day

Why did it take so long to abandon sail after steamships were demonstrated?

How to deal with taxi scam when on vacation?

Happy pi day, everyone!

Error in Twin Prime Conjecture

What did Alexander Pope mean by "Expletives their feeble Aid do join"?

How to make healing in an exploration game interesting

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

How do I hide Chekhov's Gun?

It's a yearly task, alright

Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?

In a future war, an old lady is trying to raise a boy but one of the weapons has made everyone deaf

How do anti-virus programs start at Windows boot?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

How to write cleanly even if my character uses expletive language?

Does Mathematica reuse previous computations?



A link redirect to http instead of https: how critical is it?


How secure is HTTP / HTTPS over 3G?Javascript http to https redirect - how vulnerable/how secure?Actually, isn't it bad to redirect http to https?Why do browsers default to http: and not https: for typed in URLs?OAuth 2.0 client side redirect instead of HTTP redirectIs an HTTP 301 redirect to HTTPS, insecure?Bypassing HTTP to HTTPS cached 301 redirect to use SSLstripDoes HTTP redirect to HTTPS automatically?Does hosting an http->https redirect let http basic auth leak?Is it ok to send plain text credentials in a XHR GET request?













7















I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?






tls http







share|improve this question






















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    12 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    12 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    10 hours ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    10 hours ago






  • 1





    @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    9 hours ago
















7















I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?






tls http







share|improve this question






















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    12 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    12 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    10 hours ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    10 hours ago






  • 1





    @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    9 hours ago














7












7








7








I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?






tls http







share|improve this question














I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?






tls http




tls http






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 13 hours ago









KepotxKepotx

5271312




5271312












  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    12 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    12 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    10 hours ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    10 hours ago






  • 1





    @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    9 hours ago


















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    12 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    12 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    10 hours ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    10 hours ago






  • 1





    @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    9 hours ago

















I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

– meagar
12 hours ago






I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

– meagar
12 hours ago














Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

– meagar
12 hours ago





Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

– meagar
12 hours ago













@meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

– AndrolGenhald
10 hours ago





@meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

– AndrolGenhald
10 hours ago













@AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

– meagar
10 hours ago





@AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

– meagar
10 hours ago




1




1





@meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

– AndrolGenhald
9 hours ago






@meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

– AndrolGenhald
9 hours ago











3 Answers
3






active

oldest

votes


















5














In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



  • You have session tokens being passed as cookie data

  • The cookies are scoped in such a way that the other (non-https) site has access to them

  • The cookies do not have the secure flag set

In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






share|improve this answer








New contributor




Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    5














    If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



    On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).



    EDIT: As per Jason Ross' answer I should also mention that leaking credentials through cookies is possible when a user visits the insecure website, and has logged into a web app on the same domain and the cookies were also improperly set (missing SECURE bit)






    share|improve this answer
































      -1














      In many modern enterprise deployment scenarios application developers do not worry about https at all as this is a concern of the infrastructure team. In these cases SSL is terminated on the Load Balancer, and the certs are managed by the infrastructure team. The Load Balancer also would serve the http -> https redirect by default.



      With this view of the world, where the app redirects to does not really matter that much. For consistency it's better to use the current protocol and not http or https specifically, so your application works equally well in dev (without tls) or in prod (with tls).






      share|improve this answer























      • As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

        – AndrolGenhald
        6 hours ago












      • @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

        – Andrew Savinykh
        6 hours ago











      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205446%2fa-link-redirect-to-http-instead-of-https-how-critical-is-it%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      5














      In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



      • You have session tokens being passed as cookie data

      • The cookies are scoped in such a way that the other (non-https) site has access to them

      • The cookies do not have the secure flag set

      In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



      That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






      share|improve this answer








      New contributor




      Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
























        5














        In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



        • You have session tokens being passed as cookie data

        • The cookies are scoped in such a way that the other (non-https) site has access to them

        • The cookies do not have the secure flag set

        In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



        That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






        share|improve this answer








        New contributor




        Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















          5












          5








          5







          In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



          • You have session tokens being passed as cookie data

          • The cookies are scoped in such a way that the other (non-https) site has access to them

          • The cookies do not have the secure flag set

          In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



          That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






          share|improve this answer








          New contributor




          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.










          In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



          • You have session tokens being passed as cookie data

          • The cookies are scoped in such a way that the other (non-https) site has access to them

          • The cookies do not have the secure flag set

          In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



          That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.







          share|improve this answer








          New contributor




          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          share|improve this answer



          share|improve this answer






          New contributor




          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          answered 11 hours ago









          Jason RossJason Ross

          513




          513




          New contributor




          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          New contributor





          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






          Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.























              5














              If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



              On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).



              EDIT: As per Jason Ross' answer I should also mention that leaking credentials through cookies is possible when a user visits the insecure website, and has logged into a web app on the same domain and the cookies were also improperly set (missing SECURE bit)






              share|improve this answer





























                5














                If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



                On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).



                EDIT: As per Jason Ross' answer I should also mention that leaking credentials through cookies is possible when a user visits the insecure website, and has logged into a web app on the same domain and the cookies were also improperly set (missing SECURE bit)






                share|improve this answer



























                  5












                  5








                  5







                  If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



                  On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).



                  EDIT: As per Jason Ross' answer I should also mention that leaking credentials through cookies is possible when a user visits the insecure website, and has logged into a web app on the same domain and the cookies were also improperly set (missing SECURE bit)






                  share|improve this answer















                  If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



                  On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).



                  EDIT: As per Jason Ross' answer I should also mention that leaking credentials through cookies is possible when a user visits the insecure website, and has logged into a web app on the same domain and the cookies were also improperly set (missing SECURE bit)







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 5 hours ago

























                  answered 11 hours ago









                  DaisetsuDaisetsu

                  4,21811021




                  4,21811021





















                      -1














                      In many modern enterprise deployment scenarios application developers do not worry about https at all as this is a concern of the infrastructure team. In these cases SSL is terminated on the Load Balancer, and the certs are managed by the infrastructure team. The Load Balancer also would serve the http -> https redirect by default.



                      With this view of the world, where the app redirects to does not really matter that much. For consistency it's better to use the current protocol and not http or https specifically, so your application works equally well in dev (without tls) or in prod (with tls).






                      share|improve this answer























                      • As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                        – AndrolGenhald
                        6 hours ago












                      • @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                        – Andrew Savinykh
                        6 hours ago
















                      -1














                      In many modern enterprise deployment scenarios application developers do not worry about https at all as this is a concern of the infrastructure team. In these cases SSL is terminated on the Load Balancer, and the certs are managed by the infrastructure team. The Load Balancer also would serve the http -> https redirect by default.



                      With this view of the world, where the app redirects to does not really matter that much. For consistency it's better to use the current protocol and not http or https specifically, so your application works equally well in dev (without tls) or in prod (with tls).






                      share|improve this answer























                      • As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                        – AndrolGenhald
                        6 hours ago












                      • @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                        – Andrew Savinykh
                        6 hours ago














                      -1












                      -1








                      -1







                      In many modern enterprise deployment scenarios application developers do not worry about https at all as this is a concern of the infrastructure team. In these cases SSL is terminated on the Load Balancer, and the certs are managed by the infrastructure team. The Load Balancer also would serve the http -> https redirect by default.



                      With this view of the world, where the app redirects to does not really matter that much. For consistency it's better to use the current protocol and not http or https specifically, so your application works equally well in dev (without tls) or in prod (with tls).






                      share|improve this answer













                      In many modern enterprise deployment scenarios application developers do not worry about https at all as this is a concern of the infrastructure team. In these cases SSL is terminated on the Load Balancer, and the certs are managed by the infrastructure team. The Load Balancer also would serve the http -> https redirect by default.



                      With this view of the world, where the app redirects to does not really matter that much. For consistency it's better to use the current protocol and not http or https specifically, so your application works equally well in dev (without tls) or in prod (with tls).







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered 7 hours ago









                      Andrew SavinykhAndrew Savinykh

                      8152919




                      8152919












                      • As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                        – AndrolGenhald
                        6 hours ago












                      • @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                        – Andrew Savinykh
                        6 hours ago


















                      • As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                        – AndrolGenhald
                        6 hours ago












                      • @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                        – Andrew Savinykh
                        6 hours ago

















                      As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                      – AndrolGenhald
                      6 hours ago






                      As Jason Ross pointed out, if cookies don't have the secure flag then passive MitM is a concern even if it redirects. To prevent active MitM links must be to HTTPS and not HTTP (HSTS mostly mitigates this, but not entirely). It also shouldn't be terribly difficult to use TLS in a development environment anyway.

                      – AndrolGenhald
                      6 hours ago














                      @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                      – Andrew Savinykh
                      6 hours ago






                      @AndrolGenhald yep, true. Assume that cookies does have the secure flag as per best practices. As for "terribly difficult" it's subjective. Not difficult at all for you and me, but from my experience more than a couple of people needed help with that. In a working environment when any friction during development should be minimized, this is not an unreasonable thing to ask to take this off developers shoulders.

                      – Andrew Savinykh
                      6 hours ago


















                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205446%2fa-link-redirect-to-http-instead-of-https-how-critical-is-it%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      How should I use the fbox command correctly to avoid producing a Bad Box message?How to put a long piece of text in a box?How to specify height and width of fboxIs there an arrayrulecolor-like command to change the rule color of fbox?What is the command to highlight bad boxes in pdf?Why does fbox sometimes place the box *over* the graphic image?how to put the text in the boxHow to create command for a box where text inside the box can automatically adjust?how can I make an fbox like command with certain color, shape and width of border?how to use fbox in align modeFbox increase the spacing between the box and it content (inner margin)how to change the box height of an equationWhat is the use of the hbox in a newcommand command?

                      Image
                      Is there a problem with hiding "forgot password" until it's needed? Time travel short story where a man arrives in the late 19th century in a time machine and then sends the machine back into the past Go Pregnant or Go Home Why Were Madagascar and New Zealand Discovered So Late? How can my private key be revealed if I use the same nonce while generating the signature? Modify casing of marked letters Trouble understanding overseas colleagues Best way to store options for panels Was Spock the First Vulcan in Starfleet? How do I keep an essay about "feeling flat" from feeling flat? How does a character multiclassing into warlock get a focus? Why does John Bercow say “unlock” after reading out the results of a vote? The Riley Riddle Mine Print name if parameter passed to function How can I replace every global instance of "x[2]" with "x_2" Hide Select Output from T-SQL Can I convert a rim brake wheel to a disc brak
                      Read more

                      152 Atala Notae | Nexus externi | Tabula navigationis"Discovery Circumstances: Numbered Minor Planets"2000152Small-Body Database

                      Image
                      L +1Latinitas +1 (bona)Asteroides anno 1875 repertiAsteroides Cinguli PrincipalisAsteroides a rebus ficticiis appellati Atalaasteroidessystematis solarisasteroidibus Cinguli PrincipalisAstronomismagnitudinem absolutam2 Novembris1875Paulo-Petro HenryObservatorio Lutetiaelitteris Francogallicis1801Castrobrientiiepochaeunitatum astronomicarumquam minimequam maximeInclinatio orbitalis°anomalia media [1]Small-Body DatabaseMercuriusVenusTellus (Terra)MarsIuppiterSaturnusUranusNeptunusSatellitesLunaAsteroidesindicesCorpora transneptuniana Vide etiam paginam discretivam: Atala 152 Atala Genus Asteroides Cinguli Principalis Res orbitales epochae 4 Ianuarii 2010 Excentricitas 0.0754396 Axis semimaior perihelion aphelion 3.1399791 UA 2.9031003 UA 3.3768579 UA Inclinatio orbitalis 12.11235° Longitudo nodi ascendentis 40.00824° Argumentum perihelii 58.52961° Anomalia media 348.89681° Periodus orbitalis 5.5641436375086 anni Res physicae Diameter km Massa kg Densitas media g/cm 3 Periodus rotation
                      Read more

                      Doxepinum Nexus interni Notae | Tabula navigationis3158DB01142WHOa682390"Structural Analysis of the Histamine H1 Receptor""Transdermal and Topical Drug Administration in the Treatment of Pain""Antidepressants as antipruritic agents: A review"

                      Image
                      Antidepressiva depressionuminsomniareceptorium H 1 agonista inversapruritusdermatitis atopicaelichenis simplicis chronici (neurodermatitis) Cave: notitiae huius paginae nec praescriptiones nec consilia medica sunt. Doxepinum Natura chemica Formula chemica C 19 H 21 NO Massa molaris 279.376 g/mol PubChem 3158 DrugBank DB01142 Natura pharmacologica Codex ATC N06AA12 ( WHO ) Tempus semivitae biologicum 17 (8-24) h Nor-Doxepinum: 31 h Metabolismus iecore (hepaticus): CYP2D6 CYP2C19 Metabolitus Nor-Doxepinum Excretio renibus (ca. 50%), faecibus: minus Ad usum therapeuticum Applicatio per os, i.v., i.m. MedlinePlus a682390 .mw-parser-output .existinglinksgray a,.mw-parser-output .existinglinksgray a:visitedcolor:gray.mw-parser-output .existinglinksgray a.newcolor:#ba0000.mw-parser-output .existinglinksgray a.new:visitedcolor:#a55858 (Anglice) Doxepinum est substantia psychoanaleptica et antidepressiva, ergo medicamentum tractationis depressionum, praesertim cum insomnia praesente, effectu
                      Read more