In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.
I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://…."
It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?
Best Answer
The default answer is, set the unsecure base url to https:// depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ . But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.