I have just added support SSL on my website
However unlike most websites if you go to Http it doesn't automatically change to Https
The system administrator resolved this by configuring a permanent redirect 301, however the server is also used to verify licenses from my Java desktop application, and the permanent redirect caused the code to fail because it just receives Http response 301 so we had to remove the 301
So is there another way for a user to enter the non ssl url and it change to the secure version without breaking my application code that makes calls to non ssl url as well.
FOR BROWSER(S) ONLY you can redirect with meta-refresh or javascript instead of HTTP; Java won't interpret meta or js even if your response to an application request is HTML, which APIs usually aren't. This is not a permanent redirect so it satisfies the constraint unnecessarily stated in your Q, but you could add HSTS (on the HTTPS connection only) so that subsequent browser requests to this domain (and optionally any subdomains) are forced to HTTPS before sending, for a period of time (commonly several months or a year).
I have a website (userbob.com) that normally serves all pages as https. However, I am trying to have one subdirectory (userbob.com/tools/) always serve content as http. Currently, it seems like Chrome's HSTS feature (which I don't understand how it works) is forcing my site's pages to load over https. I can go to chrome://net-internals/#hsts and delete my domain from Chrome's HSTS set, and the next query will work as I want without redirecting to an https version. However, if I try to load the page a second time, it ends up redirecting again. The only way I can get it to work is if I go to chrome://net-internals/#hsts and delete my domain from Chrome's HSTS set after each request. How do I let browsers know that I want all my pages from userbob.com/tools/ to load as http? My site uses an apache/tomcat web server.
(Just FYI, the reason I want the pages in the tools directory to serve pages over http instead of https is because some of them are meant to iframe http pages. If I try to iframe an http page from an https page I end up getting mixed-content errors.)
HTTP Strict Transport Security (or HSTS) is a setting your site can send to browsers which says "I only want to use HTTPS on my site - if someone tries to go to a HTTP link, automatically upgrade them to HTTPS before you send the request". It basically won't allow you to send any HTTP traffic, either accidentally or intentionally.
This is a security feature. HTTP traffic can be intercepted, read, altered and redirected to other domains. HTTPS-only websites should redirect HTTP traffic to HTTPS, but there are various security issues/attacks if any requests are still initially sent over HTTP so HSTS prevents this.
The way HSTS works is that your website sends a HTTP Header Strict-Transport-Security with a value of, for example, max-age=31536000; includeSubDomains on your HTTPS requests. The browser caches this and activates HSTS for 31536000 seconds (1 year), in this example. You can see this HTTP Header in your browsers web developer tools or by using a site like https://securityheaders.io . By using the chrome://net-internals/#hsts site you are able to clear that cache and allow HTTP traffic again. However as soon as you visit the site over HTTPS it will send the Header again and the browser will revert back to HTTPS-only.
So to permanently remove this setting you need to stop sending that Strict-Transport-Security Header. Find this in your Apache/Tomcat server and turn it off. Or better yet change it to max-age=0; includeSubDomains for a while first (which tells the browser to clear the cache after 0 seconds and so turns it off without having to visit chrome://net-internals/#hsts, as long as you visit the site over HTTPS to pick up this Header, and then remove the Header completely later.
Once you turn off HSTS you can revert back to having some pages on HTTPS and some on HTTP with standard redirects.
However it would be remiss of me to not warn you against going back to HTTP. HTTPS is the new standard and there is a general push to encourage all sites to move to HTTPS and penalise those that do not. Read his post for more information:
https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/
While you are correct that you cannot frame HTTP content on a HTTPS page, you should consider if there is another way to address this problem. A single HTTP page on your site can cause security problems like leaking cookies (if they are not set up correctly). Plus frames are horrible and shouldn't be used anymore :-)
You can use rewrite rules to redirect https requests to http inside of subdirectory. Create an .htaccess file inside tools directory and add the following content:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Make sure that apache mod_rewrite is enabled.
Basically any HTTP 301 response from an HTTPS request indicating a target redirect to HTTP should never be honored at all by any browser, those servers doing that are clearly violating basic security, or are severaly compromized.
However a 301 reply to an HTTPS request can still redirect to another HTTPS target (including on another domain, provided that other CORS requirements are met).
If you navigate an HTTPS link (or a javascript event handler) and the browser starts loading that HTTPS target which replies with 301 redirect to HTTP, the behavior of the browser should be like if it was a 500 server error, or a connection failure (DNS name not resolved, server not responding timeout).
Such server-side redirect are clearly invalid. And website admins should never do that ! If they want to close a service and inform HTTPS users that the service is hosted elsewhere and no longer secure, they MUST return a valid HTTPS response page with NO redirect at all, and this should really be a 4xx error page (most probably 404 PAGE NOT FOUND) and they should not redirect to another HTTPS service (e.g. a third-party hosted search engine or parking page) which does not respect CORS requirements, or sends false media-types (it is acceptable to not honor the requested language and display that page in another language).
Browsers that implement HSTS are perfectly correct and going to the right direction. But I really think that CORS specifications are a mess, just tweaked to still allow advertizing network to host and control themselves the ads they broadcast to other websites.
I strongly think that serious websites that still want to display ads (or any tracker for audience measurement) for valid reasons can host these ads/trackers themselves, on their own domain and in the same protocol: servers can still get themselves the ads content they want to broadcast by downloading/refreshing these ads themselves and maintaining their own local cache. They can track their audience themselves by collecting the data they need and want and filtering it on their own server if they want this data to be analysed by a third party: websites will have to seriously implement thelselves the privacy requirements.
I hate now those too many websites that, when visited, are being tracked by dozens of third parties, including very intrusive ones like Facebook and most advertizing networks, plus many very weak third party services that have very poor quality/security and send very bad content they never control (including fake ads, fake news, promoting illegal activities, illegal businesses, invalid age rating...).
Let's return to the origin of the web: one site, one domain, one third party. This does not mean that they cannot link to other third party sites, but these must done only with an explicit user action (tapping or clicking), and visitors MUST be able to kn ow wherre this will go to, or which content will be displayed.
This is even possible for inserting videos (e.g. Youtube) in news articles: the news website can host themselves a cache of static images for the frame and icons for the "play" button: when users click that icon, it will start activating the third party video, and in that case the thirf party will interact directly with that user and can collect other data. But the unactivated contents will be tracked only by the origin website, under their own published policy.
In my local development environment I use apache server. What worked for me was :
Open you config file in sites-availabe/yoursite.conf. then add the following line inside your virtualhost:
Header always set Strict-Transport-Security "max-age=0". Restart your server.
I have a domain example.co.uk on an Apache web server that is secured with a letsencrypt ssl certificate. Currently it redirects all http requests to https. I have also setup redirects from non-www to www, meaning all traffic ends up at https://www.example.co.uk
So I have four variations of the URL that always end up at this location:
http://example.co.uk
https://example.co.uk
http://www.example.co.uk
https://www.example.co.uk
I am trying to set up Google Search Console and Analytics. My question is which URLs do I need to add in to the two? Currently I have all four variations set up in Search Console with a sitemap attached to them all, or do I only need to do this for one? I have told the https www URL to prefer www in search results, which changes it for all four variations.
In Analytics should I only add https://www.example.co.uk as this is where all the traffic ends up, or do I need to add all variations of the URL to see all the traffic?
Short answer: no, unless you are migrating an existing site to https for the first time.
If all requests for your site eventually redirect to https://www.example.co.uk via a permanent 301 status code, then there isn't any benefit to adding all the links in Google Search Console. This feature is useful if you have duplicate content, such as an http site that you can't redirect to your https version for some reason, or if you've just migrated your site to a different domain name or URL scheme. If you're migrating an existing site to https, you can track how many http pages are still indexed while watching your https pages get indexed separately.
Otherwise, if you add all four links, you'll only see pages on the https://www.example.co.uk site get indexed. The Search Console allows you to track your site in the Google index, and if you are using 301 redirects then Google should never index the non-http versions of your site.
I use BlueHost for LearnInternetGrow.com and I have all www addresses being redirected to non www. I did this so that my organic search results would start with my domain name.
I recently set up SSL for the site but may not keep it in the long run.
I have backlinks that are hard coded with http://learninternetgrow.com. I want to redirect all types of variations of the address
(http://learninternetgrow.com http://www.learninternetgrow.com https://www.learninternetgrow.com)
to https://learninternetgrow.com. I want to do it this way so that if I get rid of SSL (which comes with a premium) I don't have to get Google to recrawl the site and redo all the backlinks.
I feel like my logic may be faulty. Has anyone used a 301 redirect to send all traffic to a secure version of their site. I started without SSL because the site is just a blog without any sign ins, but I read that SEO can get a boost if I use SSL. So this is really a test to see if the premium is worth the SEO bump. If it isn't I will get rid of it but I want to minimize the work necessary for this test.
Please let me know if you have done a similar test and how you did it. If you started with an http site and upgraded to TLS (SSL) how did you go about doing it without hurting your organic traffic.
The main questions is - When upgrading to SSL on WordPress, should one redirect to Https at the server level or change wordpress settings - WordPRess address URL to https:// or should I do both.
To get that "boost" your https but do done properly :
301 (permanent) redirect
Avoid mixed content
So you need to change the wordpress address in the settings to avoid mixed content, and add the 301 redirect directly in the server configuration if possible.
Wait at least 2 week before start looking for a boots. The boost will be small but don't forget :
https is not about SEO boost, it's about security of your visitor and integrity of your website (some ISP inject ads inside http websites...)
I'm building a site with Umbraco, and there are a couple of pages that need to be visited over HTTPS instead of HTTP (e.g. a login page).
I've seen a couple of macros that get put on the page that needs to use HTTPS, and essentially just check the protocol used and do a Response.Redirect with the correct protocol if necessary. This seems like a terrible way of achieving what seems to be a fairly basic requirement - ideally I'd want Umbraco to render any links to these pages as <a href="https://...", not do a redirect when the user goes to a page.
With these redirecting macros, there's also the possibility of a browser displaying a warning if the user's on an HTTPS page and navigates to a HTTP one. If the links are relative, the user will be redirected from HTTPS to HTTP, and the browser may warn about this.
Is there a way to achieve this without modifying any Umbraco framework code?
There's currently no built-in way to make a few pages in Umbraco return a https url.
The only way I can think of doing this at the moment is just by making sure that you set up your links correctly.
But there's no way of stopping people from entering the insecure link. That is where the redirects come in handy though, it will make sure you don't get to a secure page insecurely.
I would recommend running the whole site in https mode. In the past, performance would have been an objection to running your full site in https mode. However with modern servers, this really shouldn't be a problem any more.