For your web app, a best practice is to make sure all requests are handled via HTTPS by default. This can easily be configured for all URLs in the deployment file:
|Python, Go, PHP||
HTTP → HTTPS redirection for Python/Go/PHP
secure: always redirect_http_response_code: 301
- The first line upgrades all HTTP requests to HTTPS with a 302 redirection.
- The second line makes it a permanent 301 redirection (cacheable by the browser and SEO friendly).
Example for a static site
... handlers: - url: / static_files: www/index.html upload: www/index.html secure: always redirect_http_response_code: 301 - url: / static_dir: www secure: always redirect_http_response_code: 301
HTTP → HTTPS redirection for Java
<security-constraint> <web-resource-collection> <web-resource-name>HTTPS redirect</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- This upgrades all HTTP requests to HTTPS with a 302 redirection.
- When using
web.xmlis optional and might need to be created.
This is a straightforward way to secure your web app but there are other more advanced best practices like HSTS. Room for additional tips?