Is port 80 secure enough to allow through the firewall? (2024)

FAQs

Is port 80 secure enough to allow through the firewall? ›

Summary. Opening port 80 on your firewall is no different than opening port 443, provided the web server is configured to redirect the traffic to a secure port. This also ensures users connecting on port 80 do not get connection errors.

Port 80 is unencrypted because it is the default port for HTTP, an insecure transfer protocol used to retrieve web pages. Port 443 is secure because it uses HTTPS, which does the same thing as port 80, except securely.

Port 80 vulnerabilities include a lack of encryption, which makes it susceptible to eavesdropping and packet interception. In addition, the services and applications that run on it are open to attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery.

HTTPS is secure, whereas HTTP is not. HTTPS utilizes port 443; HTTP provides data on port 80. While HTTPS functions at the transport layer, HTTP runs at the application layer. While HTTPS requires an SSL certificate signed by a CA, HTTP requires no SSL certificates.

Many administrators who manage web servers on their network tend to block traffic for port 80 (HTTP) and only allow 443 (HTTPS) with the hope that it will secure their network. This is a myth, and this article demonstrates why port 80 is no different than port 443 if your goal is to make your network secure.

Port 443 is encrypted, but port 80 is not, which is a crucial difference between the two. Port 80 is, by default, unencrypted to access internet pages, as HTTP is an insecure form of communication. Port 443 is secure because it uses HTTPS, a secure variant of port 80, to achieve the same objectives.

Leave port 80 open for user convenience so that browsers that default to HTTP on port 80 can get properly redirected to HTTPS on port 443. Otherwise, they're going to get connectivity errors if either their browser doesn't default to HTTPS or at least check if HTTPS is available for them.

Port 20 and port 21 allow users to send and receive files from servers. These are outdated and insecure FTP ports that can encourage brute-force password attacks, cross-site scripting, anonymous authentication, and directory traversal attacks. Port 23 is known for connecting users to remote computers.

What usually runs on port 80? ›

Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP). It is the default network port used to send and receive unencrypted web pages.

The only time port 80 is used for unencrypted HTTP traffic is when specifically connecting to sites with no HTTPS or TLS enabled. Some use cases include: Basic web servers serve static informational content over HTTP. Legacy systems and hardware that do not support HTTPS encryption.

Port 80 is HTTP: that's never closed by default for solicited traffic otherwise significant swathes of the World Wide Web wouldn't be browsable behind the firewall.

Use TLS certificates and enable HTTPS even for non-sensitive content to improve security. Redirect all HTTP port 80 requests to HTTPS port 443 when possible. Close port 80 entirely and only use HTTPS if HTTP is not explicitly necessary.