TL;DR
Closing port 80 (the standard HTTP port) on your server can improve security, but it’s not a magic bullet. It forces users to use HTTPS (port 443), which encrypts their connection. However, you *must* redirect all traffic from port 80 to port 443 for this to work effectively.
Why Port 80 Can Be a Security Risk
Port 80 is used for unencrypted web traffic (HTTP). Data sent over HTTP can be intercepted and read by attackers. Modern websites should always use HTTPS, which encrypts the data using SSL/TLS.
Steps to Improve Security by Closing Port 80
- Check if Port 80 is Open: Use a port scanner tool like
netstator an online port checker.
- Using netstat (Linux):
sudo netstat -tulnp | grep ':80'This will show you if anything is listening on port 80.
- Online Port Checker: Search for ‘online port checker’ and enter your website address to see if port 80 is open.
iptables, firewalld, or a cloud provider’s security group).- Using UFW (Ubuntu):
sudo ufw deny 80Then reload the firewall:
sudo ufw reload - Using firewalld (CentOS/RHEL):
sudo firewall-cmd --permanent --remove-port=80/tcpThen reload the firewall:
sudo firewall-cmd --reload
- Apache: Add the following to your virtual host configuration file (.htaccess or site config):
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - Nginx: Add the following to your server block configuration file:
server { listen 80; return 301 https://$host$request_uri; }
http://yourwebsite.com) and HTTPS (e.g., https://yourwebsite.com). You should be automatically redirected to the HTTPS version.Important Considerations
- HTTPS is Essential: Closing port 80 only helps if you have a correctly configured HTTPS setup on port 443.
- HSTS: Consider enabling HTTP Strict Transport Security (HSTS) to further improve security by telling browsers to *always* use HTTPS for your site.
- Content Security Policy (CSP): Implement CSP to mitigate cross-site scripting (XSS) attacks.