> I'd suggest to keep the HTTP vhost for pure redirects and additionally set
> the Strict-Transport-Security header on HTTPS requests. With the header, most
> browsers will cache the information that HTTPS is enabled for your site and
> even enforce it for the time you set in the header.
If all your domain and its subdomains are HTTPS - you could look at using
preload on the HSTS header...
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
and then submit the domain to https://hstspreload.org/
Most of the mainstream browsers will know not to send HTTP requests - and
instead send HTTPS requests. This works better than the redirect as with the
redirect the payload has already been sent un encrypted before being resent,
and also POST data is in the redirect.
James
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
