Is this an oversight or intentional? Redirects like this are considered less secure. Mozilla Observatory, for instance, will ding you 10 points for this kind of redirect.
@jfoust do you have any PHP redirects set up in
settings.php? What’s the value on
enforce_https in your
Hi @alex no redirects in settings.php.
enforce_https is set to full.
Thanks. It seems like different tools have different opinions on best practices for this sort of redirect chain. This issue from the docs concerns our PHP redirect snippet, and the author says that the (outdated version of our) PHP redirect…
…failed a security scan because it was enforcing HTTPS & primary domain in a single redirect, whereas it needed to happen in two steps where it first switched to HTTPS using the same/original domain that was visited and then after it hopped over to HTTPS the primary domain could be enforced.
I notice that the difference is that you’re describing a redirect to primary domain before HSTS. I think setting
full+subdomains would probably set HTTPS first, then redirect to the primary domain, but it would still be two hops.
full+subdomains works for your setup, I’d be interested to hear back on what Mozilla Observatory has to say about that configuration.
I don’t think I’ll be able to use
full+subdomains on customers so I’ll just let it go for now. I’m with you on the differing opinions, I swear at one point Google was advocating for two also for the best SEO.
While I’m not 100% sure on this, I think that if you set it from
transitional+subdomains to test, the long HSTS header already set for your primary domain would overwrite the transitional setting there, and let you test HSTS on subdomains with only a 5 minute expiration time.
I don’t know if that helps here, and I would want someone who isn’t me to confirm that first, but it might help determine if two hops but HSTS being first would make Mozilla happy.