Improvements to TLS and primary domain redirects for non-static assets

tl;dr: So far, the Netlify hosting platform issued redirects from HTTP to HTTPS and redirects to the primary domain of a site for requests that reached static assets only. In coming weeks, we will revise our systems to issue these redirects for all requests to your site going forward.

What are TLS redirects?

When a user visits your site via an URL with a http:// prefix (also called scheme), the browser will start an unencrypted connection to our servers. Since our goal is to serve all traffic encrypted, we need to tell the browser to use an encrypted connection instead. This is why for all the requests without encryption, instead of serving the static file, we’re issuing a 301 redirect that goes to the same URL, but with a https scheme. The browser will then use an encrypted connection to the URL and we’ll serve the static asset.

Notes:

  • We also send a HSTS header which will make a browser automatically start on an encrypted connection the next time.
  • We only do this once you have a valid certificate provisioned for your site, so you can view the site content while your certificate is provisioning.

What are primary domain redirects?

Your Netlify site can have multiple domains that we serve the site on. Even if you just add a single custom domain, we’ll add a www/non-www variant if it’s an apex domain (not a subdomain). One of the domains on your site will be deemed the primary domain - this is the domain you intend your site to be visited on - you can change it in the domains panel in the Netlify App.

Whenever your site gets a request to one of the domains that is not your primary domain we issue a 301 redirect instead of serving the static assets. Your browser then makes another request to the URL on the primary domain. This is especially useful for SEO purposes where you don’t want your content to be served on multiple domains at once.

What is changing?

So far we’ve only been issuing these redirects for requests that reached static assets. There is not really a good reason for it, people internally and our customers have also been calling this behaviour a bug.

A specific example of what might change is if you host site.com and www.site.com on Netlify, with www.site.com set as your primary custom domain - and you use Netlify functions. Today, our CDN would usually respond to a request like http://site.com/.netlify/functions/name with your function output. After this change, we will instead respond with an HTTP 301 redirect to https://site.com/.netlify/functions/name and then another 301 redirect to https://www.site.com/netlify/functions/name (to satisfy the hsts preload standard), and finally, we would run the lambda and return its content.

Going forward, we’re consistently issuing these redirects for all requests that come into your site and need to be redirected, no matter if they are fulfilled by serving a static asset, invoking a Function or proxying to another server.

3 Likes