I've been thinking about how to host my webapp and as I use a react frontend with serious authentication protocols, should my app be based on both http and https or use only https? More and more time thinking is leading me towards the latter, but I'm not sure. What do you think?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (9)
Your apps should use only HTTPS - especially if there is any kind of authentication involved on your front-end.
Not only can HTTP traffic be captured and read by anyone with access to your network, increasingly web services and technologies are starting to force people to use HTTPS;
Progressive Web Apps - an awesome new feature that lets users install your website as an app - requires HTTPS and certain top level domains (TLDs) such as
.devrequire that HTTPS be enabled for any domains with that TLD.https only.
I have way too many applications still running without SSL, even though I really should simply add let'sencrypt certificates. However, I do know that http without SSL is more of an artifact of the past (legacy, if you will) than something that should seriously be considered for any new project.
For me, when I have to login to a site, it better be https with the lock symbol in my browser or Iām not staying there.
Is there a reason someone should stay Simone?
I was thinking of staying onto HTTP because of compatibility, but as I build the authentication I'm learning more and more that I should not use it. As example, when I send a password the password is encrypted in the database but unencrypted during the transport, so... What's the point anyways? So yeah I think I'll remove HTTP.
On my web server (IIS), there is a redirect setup on port 80 which forwards all requests to port 443. This way, if the user types http, they automatically get over to https.
That makes a lot of sense! Thanks for the advice!
If it's actually going over the network external to the machine running the app, you should only be using HTTPS
However, if the app is standalone and doesn't require a web server to be accessed by a browser because it bundles it's own web server (for example, something like Syncthing or Netdata), then you absolutely should support plain HTTP, even if you code things to only allow it over the loopback interface, because people (most likely including you during development) will want to run it locally over the loopback interface, and setting up TLS for that is both overkill and insanely complicated in a lot of cases.
You can't serve up http content with https content because in an upcoming version of chrome they will block what they call mixed content. Of course until that day comes, if it comes, you could but it just good practice to keep things secure
Your app shouldn't care. Whatever's doing the endpoint should use https though (which may or may not be your responsibility).