Magento Frontend – Force HTTPS on All Pages

base-urlfrontendhttpsssl

In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.

I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://…."

It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?

Best Answer

The default answer is, set the unsecure base url to https:// depending on your setup this already is enough for a redirect if users try to use http://

Maybe a redirect on webserver level is better, as it avoids requests going through php first.

And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ . But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.

Related Solutions

Magento – How to make https URL to http

There is a function just for that, called shouldUrlBeSecure located in app/code/core/Mage/Core/Model/Config.php on line 1477.

Here is the complete function:

/**
 * Check whether given path should be secure according to configuration security requirements for URL
 * "Secure" should not be confused with https protocol, it is about web/secure/*_url settings usage only
 *
 * @param string $url
 * @return bool
 */
public function shouldUrlBeSecure($url)
{
    if (!Mage::getStoreConfigFlag(Mage_Core_Model_Store::XML_PATH_SECURE_IN_FRONTEND)) {
        return false;
    }

    if (!isset($this->_secureUrlCache[$url])) {
        $this->_secureUrlCache[$url] = false;
        $secureUrls = $this->getNode('frontend/secure_url');
        foreach ($secureUrls->children() as $match) {
            if (strpos($url, (string)$match) === 0) {
                $this->_secureUrlCache[$url] = true;
                break;
            }
        }
    }

    return $this->_secureUrlCache[$url];
}

To see which URLs should be secure you can add a simple Mage::log($secureUrls) inside the if statement. This is what my log entry looked like:

2014-02-12T11:55:26+00:00 DEBUG (7): Mage_Core_Model_Config_Element Object
(
    [install] => /install/wizard/checkSecureHost
    [customer] => /customer/
    [sales] => /sales/
    [authorizenet_paygate] => /paygate/authorizenet_payment
    [checkout_onepage] => /checkout/onepage
    [checkout_multishipping] => /checkout/multishipping
    [paypal_express] => /paypal/express
    [paypal_standard] => /paypal/standard
    [paypal_express_callbackshippingoptions] => paypal/express/callbackshippingoptions
    [googlecheckout_redirect] => /googlecheckout/redirect/
    [googlecheckout_beacon] => /googlecheckout/api/beacon/
    [googlecheckout_api] => /googlecheckout/api/
    [review_customer] => /review/customer/
    [tag_customer] => /tag/customer/
    [wishlist] => /wishlist/
    [paypaluk_express] => /paypaluk/express
    [rss_catalog_review] => /rss/catalog/review
    [rss_order_new] => /rss/order/new
    [rss_catalog_notifystock] => /rss/catalog/notifystock
    [centinel] => /centinel/
    [newsletter_manage] => /newsletter/manage/
    [downloadable] => /downloadable/customer/
    [downloadable_download] => /downloadable/download/
    [ogone_api] => /ogone/api
    [persistent_onepage_register] => /persistent/index/saveMethod
    [checkout_cart] => /checkout/cart
    [storecredit_info] => /storecredit/info/
    [giftcard_customer] => /giftcard/customer/
    [enterprise_pbridge_pbridge] => /enterprise_pbridge/pbridge/
    [invitation] => /invitation/
)

Now to figure out how Magento switches HTTP to HTTPS I think you would most likely have dive into the Zend framework in the lib inside lib/Zend/Http/* because it contains files of most interest. Well, anyway hope this helped. Good luck!

Magento – https to http change url through .htaccess in magento sites except checkout or the account page

This code solved this problem

Options +FollowSymLinks
    RewriteEngine on


RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(shop|blog|stockists|inthepress|contacts|review|home) http://www.example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteRule ^$ http://%{HTTP_HOST} [L,R]

Best Answer

Related Solutions

Magento – How to make https URL to http

Magento – https to http change url through .htaccess in magento sites except checkout or the account page

Related Topic