Plaintext HTTP in a Modern World
An interesting solution by Joshua Stein that implements HTTPS redirections only for modern browsers while still serving plaintext HTTP for older ones. Here is an nginx configuration snippet:
server {
server_name example.com;
listen *:80;
listen *:443 ssl http2;
set $need_http_upgrade "$https$http_upgrade_insecure_requests";
location / {
if ($need_http_upgrade = "1") {
add_header Vary Upgrade-Insecure-Requests;
return 301 https://$host$request_uri;
}
}
...
}
The Upgrade-Insecure-Requests HTTP header (with a value of 1) is sent by modern browsers when they connect through non-encrypted connections.