Forcing HTTPS + www or non-www

Have an idea for improving the forum? Share it here.
Post Reply
jack
Posts: 9
Joined: Mon Mar 26, 2018 2:00 am

Forcing HTTPS + www or non-www

Post by jack » Wed Mar 28, 2018 6:05 am

Currently you have the ability to access the forum from:

http://www.trombonechat.com (www WITHOUT https)
https://www.trombonechat.com (www WITH https)
http://trombonechat.com (naked domain WITHOUT https)
https://trombonechat.com (naked domain WITH https)

It's good practice to force an HTTPS connection for security, and force the URL to use www or its naked domain (typically not both).

Personally I think that:
https://www.trombonechat.com
should be the URL that's redirected to, regardless of how someone types in/accesses the website. It looks like SiteGround is being used as the host (edit: maybe not?), they have documentation on how to do both of these things here and here.

Thoughts?
Last edited by jack on Sun Jul 08, 2018 12:27 pm, edited 1 time in total.
User avatar
Matt K
Posts: 765
Joined: Tue Mar 20, 2018 10:34 pm

Re: Forcing HTTPS + www or non-www

Post by Matt K » Wed Mar 28, 2018 7:37 am

I originally forced HTTPS but we had some login issues that I believe were related. You aren't wrong that it's best practice to use https (I use an extension called httpseverywhere) to force sites to use it even when they don't, but it's also good practice to have separate passwords for every site you have so that when (no, not if!) one gets breached you haven't just revealed your credentials to everything which would be one of the consequences of using http, though really that attack vector is limited to being in a public place with unencrypted wireless.

It's on our radar though and maybe we'll try to get that running this weekend. I'd prefer to do it at such a time when someone can be available to reverse it if it causes problems.
Post Reply

Return to “Comments & Suggestions”