My web application is on GCP and accepts requests on both http and https. I want to enforce https only connections without creating friction in user experience.
If I remove http then I am afraid that a user typing http://mywebapp.com will get 404. Should the right approach be to accept requests on both http and https and redirect http requests (303) so that the client send the request again using https?
- Is doing above possible?
- Wouldn't that increase my traffic cost (on
gcpdue to redirection/duplicate requests) - Is there some other better way to achieve what I want?
Yes, it is common for sites to upgrade to secure connections. The GCP load balancer can "upgrade" requests to HTTPS. Follow their step-by-step documentation to enable this.
Yes.
Should be negligible as the redirect should be permanent (
301), enabling clients to upgrade to HTTPS on subsequent requests.There are other ways. Whether it is “better” depends on your specific use case. One can perform a redirect at virtually any layer in an application. If you’re not doing anything particularly useful, aside from redirecting insecure to secure, then it's best to do so as fast as possible (e.g. load balancer). Servicing insecure requests that ultimately redirect will consume needless resources (connections, memory, etc.), so it’s best avoided.