HTTPS
HTTPS is the only allowed protocol for cloud services and applications. Plain HTTP is forbidden for security reasons. With HTTPS, all headers and content are encrypted and cannot be read by a MITM (man in the middle). From a technical point of view, the load balancer needs to decrypt HTTPS into plain HTTP to read the cookies.
Basic HTTPS best practices
The following is a set of best practices to follow that are currently valid. Here are some basic rules:
- Protect private keys
- Enable TLSv1.2 or higher on the server-side only
- You require certificates with strong encryption from a reliable CA, secure cipher suites
- Remove the support for weak ciphers on the server-side and enable strong ciphers only
- Enforce HTTPS (whenever possible)
- Do not mix TLS and non-TLS content
- For example, on a single web page, we have images, JS scripts and AJAX calls
- Use secure cookies
- Even with HTTPS, you can mix secure and plain cookies; secure cookies are handled differently by browsers