Most users are unaware of protocols and security. Even if your web sites offer secure services, users will still try to access web sites using HTTP.
As a result, for practical reasons, usually you must offer at least an HTTP service that redirects requests to HTTPS. Even then, if a man-in-the-middle attacker or CRL causes a certificate validation error, many users will incorrectly assume it is harmless, and click through the alert dialog to access the web site anyway — sometimes called “click-through insecurity.” The resulting unsecured connection exposes sensitive data and their login credentials.
Newer versions of major browsers such as Mozilla Firefox and Google Chrome have a built-in list of frequently attacked web sites such as gmail.com and twitter.com. The browser will only allow them to be accessed via HTTPS. This prevents users from ever accidentally exposing sensitive data via clear text HTTP. Additionally, the browser will not show click-through certificate validation error dialogs to the user, preventing them from ignoring and bypassing fatal security errors.
Similarly, you can also force clients to use only HTTPS when connecting to your web sites. To do this, when FortiWeb is performing SSL/TLS offloading, configure it include the RFC 6797 strict transport security header. All compliant clients will require access to that domain name to
1. If you want to redirect clients that initially attempt to use HTTP, configure an HTTP-to-HTTPS redirect. See Example: HTTP-to-HTTPS redirect and Rewriting & redirecting.
2. When configuring the server policy, enable Add HSTS Header and configure Max. Age.