Would it be better to disable Automatic HTTPS Rewrites if it's not needed?

I’ve taken care of all URLs on my website so that they all use HTTPS, so I don’t think I need to use this feature in Cloudflare.

Would there be any performance benefits to turning this off, because Cloudflare will not parse the page to look for http to https rewrites? Or is the difference negligible, so I might as well leave it on?

For what it’s worth, Always Use HTTPS and HSTS are both enabled already.

Thanks in advance.

I doubt you would notice the difference between it on or off. I believe I have it on, for example and I am sure I haven’t forget any link.

1 Like

I don’t know if Automatic HTTPS Rewrites adds any latency. I assume it has to, as parsing the body is never going to be free, but I’d like to see actual data.

Personally, I think that two Content Security Policies will give you the same benefit in modern browsers, and eventually get you to a place without any mixed content. HSTS and Always Use HTTPS only work on first party URLs, so any accidental third party HTTP will not be changed by those two settings.

Content-Security-Policy: upgrade-insecure-requests; default-src https: Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint

The upgrade policy works even where Automatic HTTPS Rewrites fails. Any clients that support CSP (most recent versions, except IE) will get a secure experience, and the Report Only policy will give you telemetry that enables you to fix the issues as they are located. You should eventually get to a place where the report policy is not sending any data.

2 Likes

I am always reluctant to recommend this (hence not bringing it up) since many people or servers have issues with changing headers, but it’s a great solution.

This would be interesting to see.

This topic was automatically closed after 31 days. New replies are no longer allowed.