> > http is an insecure protocol. I don't want my website to run on > http. So, I am hardcoding https in links in my website that refer to > pages in my website. > > > Now, I know that you will write why not redirect http to https by > default.
No because that is not relevant to me and what I would like to address. I am even deploying https on tasks in private air-gapped environments. This is not a discussion about whether or not https should be used and when. > The problem with this is that if the website gets migrated to > different provider and if people forget to redirect http to https in new > setup then it will become a security problem. I know there are many idiots out there and your concern is very valid. Most of the security breaches you read about is about such issues. However, can you imagine the apache dev team thinking like you? Hard coding everything to https? Can you imagine all http ports of tomcat, httpd, jboss etc. being dropped? These people have been making rock solid applications for decades they don't lecture others how to use or not use https. You will never match them in any way, why not follow their lead? > Hardcoding https solves all issues. > A few years back I had an argument with apple developers. They were having in the build process of the calendar server openssl. The developers thought for security purposes it would be better to include it in the build. This resulted in that calenderservers were always having an old insecure openssl, because the openssl updated by the distribution was not used. (and nobody is going to build the application frequently) This is what happens when application developers think they are security geniuses. The point I am trying to make is that you as an application developer should be focussed on developing your application it is not your business how this application is hosted. You should not concern yourself with things you are not experienced in/with. Especially when it comes to something as crucial as security. You are not removing ca certs from the trust store, your are not setting secure ciphers, you are not setting limits on key sizes etc. Why would you then even bother with https or http? With your argument you might as well hard code the domain name in your application (like wordpress) and hardcode root name servers etc. If you buy an egg in the store, it does not come with any requirement that it should be used only for making cakes. Grasp this concept. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
