HTTP-to-HTTPS Redirection


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT all versions

DISCUSSION

You can redirect HTTP connections to HTTPS on the Connection Options tab of a Site. The HTTP engine listens to a specified port (default = 80) even when OFF; all traffic is redirected to the HTTPS port on the same host (using HTTP header), by responding with a redirect.

In v8.0 and later:

EFT redirects to HTTPS for login to secure client password; then (after successful login) it sets a web session cookie and redirects back to HTTP. Because the session cookie uses the "SameSite: Strict" policy, the browser does not send it to the HTTP endpoint (which is "not same site" as HTTPS); thus, EFT does not authenticate the request to HTTP and redirects it back to HTTPS login page.

To workaround, set one of the following APs:

  • Set "DisableHTTPAccountSecurity":"true" to not redirect to HTTPS for login (i.e., make all communications plaintext, including sending password)
  • Set "HttpCookieSameSitePolicy":"Lax" to redirect to HTTPS for login, redirect back to HTTP after login, and allow the browser to send web session cookie to HTTP (i.e., make all communications plaintext except for login).

In versions prior to v8.0,

Create the following DWORD RedirectHTTPtoHTTPS and set it to a non-zero value.

32-bit:

HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 3.0\

64-bit:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 3.0\

When set to a non-zerovalue, all traffic coming to HTTP port will be redirected to HTTPS port using HTTP protocol (header redirection).
 
The HTTP port will be LISTENING even if the check box is OFF for that protocol, including through DMZ Gateway.