DEV Community

Simone Aronica
Simone Aronica

Posted on • Edited on

Should a new webapp run on both http and https protocols?

I've been thinking about how to host my webapp and as I use a react frontend with serious authentication protocols, should my app be based on both http and https or use only https? More and more time thinking is leading me towards the latter, but I'm not sure. What do you think?

Top comments (9)

Collapse
 
samjakob profile image
Sam (NBTX) • Edited

Your apps should use only HTTPS - especially if there is any kind of authentication involved on your front-end.

Not only can HTTP traffic be captured and read by anyone with access to your network, increasingly web services and technologies are starting to force people to use HTTPS;

Progressive Web Apps - an awesome new feature that lets users install your website as an app - requires HTTPS and certain top level domains (TLDs) such as .dev require that HTTPS be enabled for any domains with that TLD.

Collapse
 
jasperhorn profile image
JasperHorn • Edited

https only.

I have way too many applications still running without SSL, even though I really should simply add let'sencrypt certificates. However, I do know that http without SSL is more of an artifact of the past (legacy, if you will) than something that should seriously be considered for any new project.

Collapse
 
katnel20 profile image
Katie Nelson

For me, when I have to login to a site, it better be https with the lock symbol in my browser or Iā€™m not staying there.

Is there a reason someone should stay Simone?

Collapse
 
itssimondev profile image
Simone Aronica

I was thinking of staying onto HTTP because of compatibility, but as I build the authentication I'm learning more and more that I should not use it. As example, when I send a password the password is encrypted in the database but unencrypted during the transport, so... What's the point anyways? So yeah I think I'll remove HTTP.

Collapse
 
katnel20 profile image
Katie Nelson

On my web server (IIS), there is a redirect setup on port 80 which forwards all requests to port 443. This way, if the user types http, they automatically get over to https.

Thread Thread
 
itssimondev profile image
Simone Aronica

That makes a lot of sense! Thanks for the advice!

Collapse
 
ahferroin7 profile image
Austin S. Hemmelgarn

If it's actually going over the network external to the machine running the app, you should only be using HTTPS

However, if the app is standalone and doesn't require a web server to be accessed by a browser because it bundles it's own web server (for example, something like Syncthing or Netdata), then you absolutely should support plain HTTP, even if you code things to only allow it over the loopback interface, because people (most likely including you during development) will want to run it locally over the loopback interface, and setting up TLS for that is both overkill and insanely complicated in a lot of cases.

Collapse
 
brycebba profile image
brycebba

You can't serve up http content with https content because in an upcoming version of chrome they will block what they call mixed content. Of course until that day comes, if it comes, you could but it just good practice to keep things secure

Collapse
 
moopet profile image
Ben Sinclair

Your app shouldn't care. Whatever's doing the endpoint should use https though (which may or may not be your responsibility).