> I'd suggest to keep the HTTP vhost for pure redirects and additionally set the Strict-Transport-Security header on HTTPS requests. With the header, most browsers will cache the information that HTTPS is enabled for your site and even enforce it for the time you set in the header. If all your domain and its subdomains are HTTPS - you could look at using preload on the HSTS header... Strict-Transport-Security: max-age=63072000; includeSubDomains; preload and then submit the domain to https://hstspreload.org/ Most of the mainstream browsers will know not to send HTTP requests - and instead send HTTPS requests. This works better than the redirect as with the redirect the payload has already been sent un encrypted before being resent, and also POST data is in the redirect. James -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|