Plaintext HTTP in a Modern World
An interesting solution by Joshua Stein that implements HTTPS redirections only for modern browsers while still serving plaintext HTTP for older ones. Here is an nginx
configuration snippet:
server { server_name example.com; listen *:80; listen *:443 ssl http2; set $need_http_upgrade "$https$http_upgrade_insecure_requests"; location / { if ($need_http_upgrade = "1") { add_header Vary Upgrade-Insecure-Requests; return 301 https://$host$request_uri; } } ... }
The Upgrade-Insecure-Requests
HTTP header (with a value of 1) is sent by modern browsers when they connect through non-encrypted connections.