Should I use HTTPS on a domain that will only be used for redirection?

If you don't secure and a user visits that site, a man-in-the-middle attacker can manipulate the traffic and keep the user on, where he can intercept all traffic.

It doesn't matter that your version of redirects to The attacker can change this behavior and offer a HTTP version of your site to the user.

If you don't have a certificate for, anyone trying to access that (without the www. part) on HTTPS will get an error, and very likely not a redirection to With browsers pushing HTTPS as default protocol more and more, this will become a growing issue.

Many certificate authorities allow you to add multiple domain names in one certificate request, so you can get one certificate for both and

Yes, you should.

In your scenario, the user types the name of your domain into their browser's address bar. No protocol, no www., just Most browsers will respond by first trying to connect to Now an attacker has the opportunity to interfere with this request and/or the response - preventing any redirect from occurring, or redirecting the user to the wrong destination, or any other bad behaviour.

Simply supporting HTTPS on the base domain doesn't help with this, since the browser will still connect over HTTP first, and the attacker controls what happens from that point on. (Although it does have the minor advantage of providing a better experience for those rare users who type into their browsers).

The only way to truly avoid the problem is if, when the user types, the browser immediately connects over HTTPS, without waiting for a redirect. This can be achieved (in most browsers) by getting your domain onto the HSTS preload list. The requirements for adding a domain to the preload list imply that the base domain must be available over HTTPS (you can only submit the base domain for inclusion, and that's what will be checked for the first two requirements; also, the HSTS header as specified in the fourth requirement is only valid over HTTPS).

So, the answer to your question is yes - you should secure the base domain - but you should also consider fulfilling the other requirements and adding the domain to the preload list.