Hi,
My website still showing 500+ insecure traffic, where as I have disabled all of them, added rules to redirect HTTP to HTTPS, even I have disabled port 80 completely on my hosting for apache, and my site is only hosted over port 443.

Is there anything else I have to do?

The best thing we can recommend is HSTS and HSTS preload.

In browsers, the first request to a (non-HSTS) website is http unless it’s traffic from search engines, but if you set up HSTS+preload, the first request to your website, even via just the address bar, will be HTTPS.

HSTS can be enabled in the SSL/TLS app, and once you’ve got that enabled, you can enroll via hstspreload.org.

Note that once you preload you effectively always have to have a SSL/TLS certificate on your domain for browsers to work with it; your website can’t go back to HTTP without going through a multiple month process to get the domain removed from the preload list and then for all browsers (safari and Firefox being the slowest) to receive the update list and start allowing your site to load non-encrypted. This shouldn’t be a problem as long as you use Cloudflare, or if you move away from CF you can use a free TLS provider like LetsEncrypt.

In case if I want to change back-end host or IP of the server, I will be able to do it by accessing the server via it’s IP directly, right?

I don’t think there will be a problem.

Okay, I have a sub-domain, which is just alias to the actual public IP of the server and I am using it for my OpenVPN and it is running on port 80. I am not using CF proxy for this.

Will there be any issue after enabling HSTS?

This topic was automatically closed after 30 days. New replies are no longer allowed.