Forum Discussion
NimbostratusRemoval of "s" from HTTPS loads page in HTTP
I am facing security problem in my website. My website starts from HTTP page (Searching for product, selecting it and proceed to payment and User's information). My user's information page and thereafter every page till purchase confirmation page are HTTPS pages.
But when I remove "s" from https in browser URL and press enter, whole page gets load in HTTP mode which is security breach for my site.
I don't know how to stop that. What I need is if user removes "s" from url and enter, either it should restrict the user to do so and load page again as HTTPS or redirect user to error page.
My application runs on IIS server with certificate installed at load balancer. Please help me with solution. Thanks.
2 Replies
Michael_YatesHi Neeraj,
You know your website better than I, but generally those sections of the site are on different physical pages (take you down into an entirely different area of the site).
Example:
For normal shopping and browsing - HTTP - http://www.website.com/shoping
For purchases - HTTPS - https://www.website.com/purchase
I would suggest writing an iRule that basically looks for the secure area's of the site (based on the URI) and forces HTTPS.
An iRule something like what is below. This will detect the "Secured Area URI" and see if the communication is on the Secured Port. If so, send it to the servers normally. If not, redirect them to the same exact location in the Secure Area:when HTTP_REQUEST { switch [string tolower [HTTP::uri]] { "/purchase*" { if { [TCP::local_port] == 443 } { Purchase Area Requires Security pool secure.pool.servers } else { If not on Secure Port, force Redirect HTTP::redirect "https://[HTTP::host][HTTP::uri]" } } } }
Hope this helps.
AtulAnandAltostratus
You can create a VIP on F5 LTM with same IP but port 80 and use a simple iRule to redirect the URL to port 443.
