Pivotal Knowledge Base

Follow

How do I force my users to use HTTPS?

Purpose

For security purposes, it is a good practice to force users to connect to your site via HTTPS.  This prevents a user from accidentally connecting to your application over an unencrypted channel and leaking sensitive information.

Instructions

On PWS, users can connect to your application via HTTP or HTTPS.  At the moment, there is currently no support from the platform to force traffic from one to the other.  To force your users to connect via HTTPS, you need to check the incoming request in your application and issue a redirect for any non-HTTPS requests.

Some languages, runtimes and / or frameworks offer support to handle this automatically.  For example, with a Java based application you can do this in web.xml or with a framework like Spring Security.  For languages or runtimes with no automatic support, you can often implement similar behavior with a "middleware", "interceptor" or "filter".  These can be used to inspect incoming requests and apply logic that runs prior to the request reaching your application.  The inject logic simply needs to check if the request is secure and if not send a redirect.

To determine if the request came in via HTTPS, you can look at either the X-FORWARDED-PORT or the X-FORWARDED-PROTO header.  A port of 443 or protocol of https, would indicate a secure connection.  For anything else, you would simply respond to the request with an HTTP 302 redirect to the requested URL but with an HTTPS scheme.

Impact / Risks

When a browser connects to your application on PWS, it does not do so directly.  It actually talks with a load balancer, that in turn proxies the request to your application.  In addition to proxying the request, the load balancer also terminates SSL.  This means that the browser talks HTTPS to the load balancer, but the load balancer talks HTTP to your application.  

Because of this proxy layer and the SSL termination, your application may not properly detect that an incoming request was sent via a secure channel.  This often results in an HTTP redirect loop, but could also result in your application simply handling requests it should not via HTTP.  Please verify that your application is properly redirecting HTTP requests to HTTPS.  If it's not working properly, you likely need to configure it to look at the X-Forwarded headers mentioned in the Instructions section above.

Comments

Powered by Zendesk