is there any rational basis for adding httponly cookies, HSTS, or HTTPS redirect headers for web svcs that literally only listen on 443 for TLS? (context: not a web server, but custom Go network service; there is no "port 80"). Hard pressed to think of any.
Conversation
When you say "only listen on 443 for TLS" you mean "When the legitimate site only listens on 443 for TLS"... but there's little stopping an attacker from pretending like there's a HTTP site running on port 80."
So that's why you want HSTS+preload.
2
7
not sure it matters, but I should also add: there is no human/browser component, just machine-to-machine (think automated libcurl type client to web service).
2
It *might* be worth opening port 80 and doing nothing.
1
1
The only reason I can see to do this is if you decide you want to redirect users (or bots) navigating to your API domain in their browser. This is useful if you publish the domain in public documentation, etc. Silly little bots will start coming along looking for web content.