Ask HN: We're thinking to drop HTTP support, Thoughts?

8 points by rafaelturk ↗ HN
We're planning to completely remove HTTP support across all our sites, endpoints, APIs. Meaning: Stop serving at 80 port. By doing so we'll be able to remove servers, nginx, loadbalancers, etcs that manage http traffic.This will save us a few bucks, reduce complecity and improve security.

Currently we're already forward(301) all http requests to https. Most of them bots, garbage.

Thoughts? Can we expect any problems? SEO? Browsers to refuse to connect? Or any unexpected problems?

8 comments

[ 0.27 ms ] story [ 29.7 ms ] thread
If your domain has had HSTS for at least a year (long enough to be recognized by modern browsers) then you should be good. If not, then you'll still need port 80 for redirects.
Good point, we already include HSTS in HTTP responses. Now I'm Thinking what will happen 365 days after we stop serving http..
To be on the safe side, should consider getting your domain in the preload list [1]. AFAIK not all browsers will try http/443 if a person just types the domain name into the URL bar. Chrome does this. Firefox does not. Unsure about Edge. Your access logs on port 80 should help determine the risk. This is more important for sites that depend on radio/tv advertisement traffic.

[1] - https://hstspreload.org/

f you already forward every http request to https, then how are you serving http and how much?
I've implemented https a long time ago, at the time we had a lot of legacy traffic going to http. So redirect was our solution to force legacy customers to use https even when connection started using plain html.
Our http traffic is now nenegtable, hence the incentive to drop it.

My question is: If we completely cease http, can we expect https run flawlessly?

Is there any way to leave the bots on port 80? As most browsers send users to https, you could use port 80 access as a signal these users are likely bots and should be treated as such? I just mention this because I know bot detection is itself an annoying problem... maybe you’ve found one possible way to at least learn who the bots are?
If all you do on http is send a redirect to https, you might be able to do that on the loadbalancer itself, or have a minimum sized pool of origins that does it for all of your hosts, so all your loadbalancers would have port 80 sent to them.

If you have any inbound links to http content, you really should endeavor to make those continue to work forever.

All that said, when I ran a high volume website, I got hsts preloaded, and served favicon with hsts headers, but generally didn't redirect content pages to https. If the user had a browser supporting hsts, they would be on https, otherwise maybe they want to see the content, but their browser can't manage modern https. The page was public information only though, if you have private information, you may reasonably prefer to have server acceptable TLS or nothing.