Currently in the process of setting up a new personal server. I've been reading about HSTS (thanks EFF!), as well as the steps for implementing on Nginx (ex: here).
What I haven't seen clearly spelled out is how to handle the initial redirect. Do I serve some static error content at port 80, redirecting to the actual site at HTTPS?
A lot of what I've read so far suggests that serving from HTTP is making your site vulnerable to MITM attacks. Others seem to suggest that as long as you have the Secure flag set on any cookies instantiated, you're good. Of course, plebeian that I am, I'm not on the preloaded HSTS site list, so that's out.
What's the deal here? Should I serve port 80 and redirect for convenience of site visitors, or am I exposing them to attack?
Full-disclosure: Non-Ops by trade, and non-secure content being served, just a hungry mind with a learning opportunity.
On your site at port 80, you just respond with a 301 response code redirecting the user to your HTTPS site at port 443. The secure site then send the "Strict-Transport-Security" header.
This will still leave your users vulnerable to man-in-the-middle attacks the very first time they visit your site. You can only mitigate this by getting your site on the preloaded HSTS list.
Don't set any cookies from the insecure site and always use the secure flag when setting cookies from the secure one.