Force browser to send first request via HTTPS if user access the page through HTTP

Question

Some time ago i had found a possibility to prevent the browser to establish any unsecured connections to a server. I already redirect my users from HTTP to HTTPS but if a user sends a Request with sensitive data to http first and gets a redirect to HTTPS the data already has send to the server via HTTP.

the accept part is missing. ;-) – Jonathan May 09 '12 at 08:06 — Jonathan, May 09 '12 at 08:06

score 2 · Answer 1 · answered May 08 '12 at 21:33

There is absolutely nothing you can do to prevent anyone from sending data in clear text. The only control you have is how your server responds to it, if at all. With that in mind, I suggest you use normal means to either reject the request outright or to simply redirect it to HTTPS. Realistically there is nothing else you can do.

score 1 · Accepted Answer · answered May 09 '12 at 07:19

1

I was searching for the HTTP Strict-Transport-Security Header. http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/

answered May 09 '12 at 07:19

Maximilian Ruta

153

score 0 · Answer 3 · answered May 08 '12 at 21:12

0

You could configure the webserver to not listen on port 80. This way there will be no TCP Handshake and the browser will not even send his first data packet. Obviously then the redirection will not work any more.

answered May 08 '12 at 21:12

leepfrog

488

Force browser to send first request via HTTPS if user access the page through HTTP

3 Answers3