This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Virtual Host Redirection

Posted on 09-07-2016 12:18 AM
banto_78
New Member
Reply posted on --/--/---- --:-- AM

Hi all,

having a default endpoint on port 80 is always good practice even if security is a must. Normally port 80 is redirected to 443. I am wondering how is it possible to redirect the default virtual host to the secure one in Edge?

Any help very appreciated.

thanks lot,

Antonio

Solved Solved
0 1 270
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

- If you do not have any of your proxies listening on port 80, then anyone hitting http on port 80 will get a 404

- If you want to redirect all the http 80 calls you can have one API proxy (No Target Proxy) and have an assign message policy that does a 302 redirect

However, in the API world, I think, http to https redirect is not a very good idea. Because you are not discouraging the client to not use http, instead redirect on your side, making it acceptable for the client to use HTTP.

The problem in that case is - the client would be sending all the sensitive data in un-encrypted format once before the redirect happens. If you are using OAuth, it relies on TLS/HTTPS security for encryption - sending those over non secure ports is not a good idea.. same is true for any other payload, headers etc

Its a different story with websites, because only the pages are redirected- the ajax/post calls within the pages are not. You are not risking sensitive data posted over http in case of website redirect.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

- If you do not have any of your proxies listening on port 80, then anyone hitting http on port 80 will get a 404

- If you want to redirect all the http 80 calls you can have one API proxy (No Target Proxy) and have an assign message policy that does a 302 redirect

However, in the API world, I think, http to https redirect is not a very good idea. Because you are not discouraging the client to not use http, instead redirect on your side, making it acceptable for the client to use HTTP.

The problem in that case is - the client would be sending all the sensitive data in un-encrypted format once before the redirect happens. If you are using OAuth, it relies on TLS/HTTPS security for encryption - sending those over non secure ports is not a good idea.. same is true for any other payload, headers etc

Its a different story with websites, because only the pages are redirected- the ajax/post calls within the pages are not. You are not risking sensitive data posted over http in case of website redirect.

Jump to Solution
0 Likes