Security Assessment 101: Skip HTTP and just use HTTPS

So you built this awesome business web app.  You sold it to your customer and it’s now in production.  You’re using SSL which is even configured for best practices.  See my previous post on securing SSL.  But what happens when a user goes to your web application.  It probably redirects them to HTTPS so the user can login over SSL.

Why do that???

That is the question to ask yourself.  Why redirect users from HTTP to HTTPS to login.  Why not ALWAYS use SSL???  I really do not believe you need HTTP or Port 80 turned on at all for business web applications.  Here are my assumptions with Business Web Application:

  • Most interactions with your site is behind the login page.  By most, I really mean like 99%.
  • The data is sensitive, company proprietary, etc…
  • You have employee information, financial information, etc…

So in this scenario, there is no real reason to have HTTP bindings setup in IIS for your site.  Turn port 80 off on the firewall and only allow Port 443.  Don’t even give the hacker a chance to see the traffic over HTTP or an avenue to hack your server over port 80.

But what about the customer???

They won’t know to use HTTPS…  For me this is pretty easy answer.  When sending the welcome package to your customer, explain to them why you did this and tell them the URL is only accessible over HTTPS.  I have been doing this for years and yes we have had a few calls to the help desk.  But VERY, VERY few calls.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s