1Answer
  • 4
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Force HTTP to HTTPS redirect

I have a site on SharePoint and I have implemented HTTP To HTTPS redirect successfully.

However, if user goes to the URL and remove 's' from 'https' then site becomes accessible without SSL.

I want a way to force redirect the user to HTTPS in all cases. How can I achieve this using IIS or SharePoint Central Administration?

You could set up HSTS (RFC 6797) for the domain in question along with the redirection from HTTP to HTTPS. (HSTS is not supported if turned on for a HTTP site, and in fact including the HSTS header on a HTTP connection is a violation of the RFC; HTTPS must be used, and the RFC requires that any HSTS headers received over non-secure transports be ignored.)

By setting up HSTS (HTTP Strict Transport Security), you instruct any compliant web browser to:

  • refuse to connect to the server if there are any errors in the HTTPS establishment process
  • refuse to connect to the server over plain-text HTTP

for the duration of the max-age stated in the HSTS header.

Just make sure you don't mess up the HTTPS configuration or have a certificate problem, or you will lock people out. (Sections 8.4 Errors in Secure Transport Establishment and 12.1 No User Recourse.)

Most modern web browsers support HSTS, and turning it on does not cause any appreciable harm (a tiny extra HTTP header) for those that do not.

For additional usefulness, you should combine this with a fixed 301 Moved Permanently whenever a page is requested over HTTP, pointing at the corresponding location using HTTPS. Your question is a little unclear as to whether you actually have accomplished this or not; you say that you "have implemented HTTP To HTTPS redirect successfully", but if you had fully succeeded, the user would simply be redirected back to HTTPS whenever they try to access the site over HTTP. When used in conjunction with this, HSTS has the advantage that it instructs the browser to not use HTTP at all for the domain name in question; a 301 redirect applies only to a specific URL.

  • 5
Reply Report

Trending Tags