Is redirecting http to https a bad idea?

Question

I\'m reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It sho

Answer 1

I've only just noticed this question, but I've written a couple of answers to similar questions:

• Webmasters.SE: How to prevent access to website without SSL connection?
• Force HTTPS for specific URL

I don't think redirecting from HTTP to HTTPS is necessarily harmful, but this should be done carfully. What's important is that you shouldn't rely on these automatic redirections to be present during the development phase. They should at most be used for users who type the address in the browser by themselves.

It's also solely the responsibility of the user to check than they're using HTTPS (and that the certificate is verified without warning) when they expect it.

The actual risks of switching from HTTP to HTTPS is that you can reliably trust what was done before the switch, if you choose to keep the session. The flow and process of your website should take this into account.

For example, if your users browses your shopping site and adds various items into the cart using HTTP and you plan to use HTTPS to get the payment details, you should also make the user confirm the content of their basket using HTTPS.

In addition, when switching from HTTP to HTTPS, you may have to re-authenticate the user and to discard the plain HTTP session identifier, if any. Otherwise, an attacker might be able to use that cookie to move to that HTTPS section of the site too and potentially impersonate the legitimate user.