A question: What’s the best practice these days for port 80 on websites? With my old configuration, I redirected all port 80 requests to port 443. Now I’m wondering if I should bother to open it at all.
I suppose that someone might try to access the site with some ancient device that doesn’t support SSL, but frankly, all I ever saw were lazy bot requests on port 80.
I would say don’t open it. One of the security tools we use at work dings points for an open 80 even if all it does is redirect to 443
Last year Chrome changed to load https://
by default when you browse to a website, unless you explicitly tell it to go to http://website.tld
, and on looking it up, it looks like Firefox moved to https-first in August this year.
And even if you don’t serve :80 at all, and even if a particular browser does default to checking http first, and even if that port isn’t explicitly redirected, I suspect most browsers will try :80, and silently try :443 if that fails, unless they’re old, like Netscape Navigator old.
“But where our hearts truly lie is in strong coffee, noise-canceling headphones and good clean code.”