Mobile app version of vmapp.org
Login or Join
Sims2060225

: Can forwarding https://example.com requests to https://www.example.com be a security risk? I maintain a retail store's eCommerce website, provided by a 3rd party. The HTTPS links do not load ('ERR_CONNECTION_TIMED_OUT')

@Sims2060225

Posted in: #301Redirect #Https #NoWww #Security

I maintain a retail store's eCommerce website, provided by a 3rd party. The HTTPS links do not load ('ERR_CONNECTION_TIMED_OUT') unless you put in the WWW before the doman name. The HTTP links forward to their respective www counterparts. This 3rd party has explained that HTTPS links would need to be forwarded to the www URLs as well but "Webforwards do not forward https." I am left with a sense that this will not be followed up on. Practically speaking, I don't think we will have any shoppers manually going in and typing store.com and encountering this issue. However, it doesn't seem to be good practice. I checked google, yahoo, bing, shopify, and bankofamerica all forward you to their www if you do just domain.com. What makes this not commonplace? It looks like Amazon forwards you to their standard http if not on a need-to-be-secure page.

Is there a security hole that could arise as a result of forwarding example.com requests to www.example.com? Why would anyone want to have an error when you could have it forward to somewhere?

10.01% popularity Vote Up Vote Down

Login to follow query

More posts by @Sims2060225

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

 

@Lengel546

If non-www links don't work it will also not work if you try to redirect such a link to another link, because it first needs to access the first link before it can get a redirect from there to the second link. And while it is hard to get any useful data from your error description I would recommend, that you check the problem yourself: a common problem is that the certificate for the site is for example.com and does not include example.com, so that latter will fail with an SSL error. In this case you would need to get a better certificate, redirecting will not work.

But, if you would achieve the forwarding (which I don't believe you can for the reasons above) it will not be a security risk, as long as the source of the redirect and the target of the redirect are both under the same control. E.g it will be a risk if you redirect it to a 3rd party side, because you don't have any control what the 3rd party side is doing.

10% popularity Vote Up Vote Down

Back to top | Use Dark Theme