ADR032: SSL-only for applications and cf endpoints
Note: This has been superceeded. See Status below.
It is expected for the government websites to be secure and keep the user interactions private. Because that we want to enforce all communications to any application and to the platform endpoints to use only and always HTTPS, as it is described in the Gov Service Manual.
When a user inputs a website name without specifying the protocol in the URL, most browsers will try first the HTTP protocol by default. Even if the server always redirect HTTP to HTTPS, an initial unprotected request including user information will be transferred in clear: full URL with domain, parameter, cookies without secure flag or browser meta-information.
There is still a potential initial unprotected HTTP request that might happen
before retrieve the HSTS headers or after the specified HSTS
To solve this issue, the root domain can be added to
HSTS preload list which will be used by most
Currently the only way to avoid any clear text HTTP interaction is closing or dropping any attempt to connect to the port 80 at TCP level.
Although not all application deployed on the PaaS will be “services” as in the service manual meaning, we must not allow HTTP to make it easier to service owners to comply with this requirements.
We will only open port 443 (HTTPS) and drop/reject any TCP connection to TCP port 80 (HTTP).
We will implement and maintain HSTS preload lists for our production domains.
Superceeded by ADR033
We must configure and maintain our domain in the HSTS preload lists.
Users of browsers which do not support HSTS, or HSTS preload lists, will not
be able to connect to the sites without specify the protocol
the URL. This only happens when the user manually inputs the URL in the