This repository has been archived by the owner on Sep 5, 2023. It is now read-only.
Redirect straight from http://gov.uk to https://www.gov.uk #340
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
At the moment, requests to http://gov.uk are redirected to https://gov.uk and then to https://www.gov.uk. Why is it like this? -------------------- This was done deliberately because we wanted to get `gov.uk` in the HSTS preload list (which is a list of domains which browsers should always use HTTPS for). The Strict-Transport-Security header is ignored for plain http:// requests, so we needed to redirect to https://gov.uk to be able to serve the response in a way which would be respected by browsers. In the time since we added this redirect, `gov.uk` has been put on the HSTS preload list: https://github.com/chromium/chromium/blob/master/net/http/transport_security_state_static.json ``` { "name": "gov.uk", "policy": "custom", "mode": "force-https", "include_subdomains": false }, ``` Why should we change it now? ---------------------------- There's a theoritical web performance cost to the extra redirect. An extra TCP connection to gov.uk:443, and an extra TLS handshake for https://gov.uk, and an extra HTTP request. All of which we could have skipped if http://gov.uk redirected straight to https://www.gov.uk. This is mostly theoretical because gov.uk is on the HSTS preload list, so browsers won't make the first request (to http://gov.uk). This commit only changes the behaviour for the http:// redirect (the 801 virtual status code), so nothing will change for HSTS respecting user agents which never make http:// requests. User agents which don't follow HSTS (e.g. curl) will get a simpler redirect, which will be a little bit faster. Is there some risk of disaster here? ------------------------------------ We have to be very careful with gov.uk's HSTS status. There are lots of subdomain of gov.uk which still don't support https (including most of the domains we "transitioned"). Accidentally putting `gov.uk` on the HSTS preload list with includeSubdomains set would effectievly break all the http:// subdomains. This happened by accident in a version of IE in 2019 (due to a mistake on microsoft's side). This change should not increase the risk of that kind of issue - https://gov.uk will still serve the Strict-Transport-Security header, as it has since 2017.
richardTowers
force-pushed
the
remove-double-redirect
branch
from
3f6096b
to
e626325
Compare
|
See also https://bugs.chromium.org/p/chromium/issues/detail?id=700280#c9 which was the ticket that got |
ChrisBAshton
approved these changes
Jun 15, 2021
karlbaker02
approved these changes
Jun 15, 2021
sihugh
approved these changes
Jun 15, 2021
|
The Slack Seal has brought this back under scrutiny 😁 @richardTowers is there any reason why this wasn't merged? Is it something you'd like Platform Reliability to carefully roll out next sprint? |
|
🦭 I think this is so low value that (even though it's low risk) it's probably not worth doing. I've converted it to a draft to quieten the seal. Also coming back to it with a fresh set of eyes, I wonder if this wouldn't cause problems in non-production environments (staging and integration) since I hardcoded www.gov.uk 🤔 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At the moment, requests to http://gov.uk are redirected to https://gov.uk and
then to https://www.gov.uk.
Why is it like this?
This was done deliberately because we wanted to get
gov.ukin the HSTSpreload list (which is a list of domains which browsers should always use HTTPS
for).
The Strict-Transport-Security header is ignored for plain http:// requests, so
we needed to redirect to https://gov.uk to be able to serve the response in a
way which would be respected by browsers.
In the time since we added this redirect,
gov.ukhas been put on the HSTS preload list:https://github.com/chromium/chromium/blob/master/net/http/transport_security_state_static.json
Why should we change it now?
There's a theoritical web performance cost to the extra redirect. An extra TCP
connection to gov.uk:443, and an extra TLS handshake for https://gov.uk, and an
extra HTTP request. All of which we could have skipped if http://gov.uk redirected
straight to https://www.gov.uk.
This is mostly theoretical because gov.uk is on the HSTS preload list, so
browsers won't make the first request (to http://gov.uk).
This commit only changes the behaviour for the http:// redirect (the 801
virtual status code), so nothing will change for HSTS respecting user agents
which never make http:// requests.
User agents which don't follow HSTS (e.g. curl) will get a simpler redirect,
which will be a little bit faster.
Is there some risk of disaster here?
We have to be very careful with gov.uk's HSTS status. There are lots of
subdomain of gov.uk which still don't support https (including most of the
domains we "transitioned"). Accidentally putting
gov.ukon the HSTS preloadlist with includeSubdomains set would effectievly break all the http:// subdomains.
This happened by accident in a version of IE in 2019 (due to a mistake on microsoft's side).
This change should not increase the risk of that kind of issue - https://gov.uk
will still serve the Strict-Transport-Security header, as it has since 2017.