Our site currently redirects requests sent to http://example.com to https://example.com -- everything beyond this is served over SSL. For now, the redirect is done with an Apache rewrite rule.
Our site is dealing with money, however, so security is pretty important. Does allowing HTTP in this way pose any greater security risk than just not opening or listening on port 80? Ideally, it's a little more user-friendly to redirect.
(I am aware that SSL is only one of a large set of security considerations, so please make the generous assumption that we have done at least a "very good" job of covering various security bases.)
You're doing the right thing by redirecting http to https (assuming you use 301 redirects).
One additional thing that you should strongly consider doing is enabling Strict Transport Security so that browsers know that this is a web site they should connect to only via https.
It actually can create a security issue if done incorrectly, but given that the biggest banks and financial firms in the world [effectively] do it for their online services, I think you're safe, or at least in good company.
Stack Overflow has an older thread on the topic, and as observed, you want to make sure that you enable HSTS, otherwise there are potential issues with MiTM attacks and potential session hijacking.
And, by the way, the recommended way to do this is with a
VirtualHostrule rather thanmod_rewrite.