Force HTTPS on all pages in the frontend, not just Checkout/Account

  • In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.

    I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://...."

    It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?

    ive heard that correct way is to override secure route in config.xml

  • Flyingmana

    Flyingmana Correct answer

    6 years ago

    The default answer is, set the unsecure base url to https:// depending on your setup this already is enough for a redirect if users try to use http://

    Maybe a redirect on webserver level is better, as it avoids requests going through php first.

    And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ . But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.

    Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: https://github.com/ikonoshirt/StrictTransportSecurity

    Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate

    @Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM