: Best way to have both HTTP and HTTPS communication in a web application? I am considering using both HTTP and HTTPS in a web application and I am looking for tips to accomplish this best.
I am considering using both HTTP and HTTPS in a web application and I am looking for tips to accomplish this best. The application will run under Tomcat.
I have also seen the following about HTTPS performance. Can anyone confirm the claims made in this post (i.e., SSL/TLS is not computationally expensive any more)? Do you agree?
Thanks!
More posts by @Candy875
2 Comments
Sorted by latest first Latest Oldest Best
Best way is to use redirects (301) to ensure visitors are only using the desired protocol on a particular url. If you have Apache (with mod rewrite) or IIS running in front of Tomcat its easy, otherwise its a bit trickier. If you are running Tomcat standalone you can write a filter to do the redirecting. There are also some general rewrite filters already written out there, but I'm not sure which ones are any good.
The idea is not to mix "public" HTTP with "private" HTTPS.
Use HTTP whenever there is no problem if someone intercept your communication with the user, and when the communication gets private (sensitive data will tell you when) then use HTTPS. Don't mix them, because one thing that is considered a vulnerability is to have both services pointing to the same root folder.
Let me explain myself better: If anyone can hurt your server using the HTTP protocol, by example locating a file in one of your folders, he will automatically knows that this damage is affecting the HTTPS site too.
Be smart, don't show your cards.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.