I'm building Web site, and wondering how I can assure that it is secure if first request is made by HTTP. HSTS do this but partially.
I think not opening HTTP port solve this problem. But is this standard? My site is B to B, so SEO is not problem. Users directly access my addresses, but assume possible with HTTP. Any idea?
Short answer :
It will protect your visitors even for the first visit thanks to the preload : browsers will know your domain must be contacted only with https even before the first contact (it will be in their source code, see https://github.com/ssllabs/research/wiki/Preload-Lists ).
(and of course, keep your 301 redirect http=>https)
Why closing the port 80 is not a good idea ? Let's see the two options :
Options with HSTS and the port 80 closed :
subsequent visits on http://example.com : Nothing happens
First visit on https://example.com : User is secure and HSTS is kept
In case of an attack :
Options with HSTS and the port 80 open :
subsequent visits on http://example.com : User is securely redirect to https (thanks to HSTS)
First visit on https://example.com : User is secure and HSTS is kept
In case of an attack :
subsequent visits on http://example.com : User is securely redirect to https (thanks to HSTS)
First visit on https://example.com : User is secure and HSTS is kept
As you can see, opening the port 80 to answer a 301 redirect to https can improve a little the security (and closing it will not improve it, and will probably confused your visitors)