So are you essentially saying it’s better to not even have an entrypoint on port 80 in your config at all despite using a redirect, or would using the HSTS header still prevent someone from explicity requesting your domain via http:// entirely in your examples 3 and 4?
And is this only related to allowing external requests on port 80 because the client could potentially have their connection hijacked? If you were to allow an entrypoint on port 80 from internal IP ranges only this is not a possibility (assuming your lan isn’t compromised by some other means), right?
Thankfully, I haven’t needed to expose any services so I just use a VPN for now, but I haven’t gotten around to enabling valid ssl certs for internal traffic as an additional layer of security either. I hadn’t even considered the scenario you described, so it seems like it’s better to just go the route of https everywhere and not even use an entrypoint on port 80 regardless.
Exactly, I should have said what would the server do when clients try to connect via http:// with and without the HSTS header but I see what you mean now. Thanks for the explanation!