How to find out if you re using HTTPS without SERVER HTTPS

Question

I ve seen many tutorials online that says you need to check   SERVER  HTTPS   if the server is connection is secured with HTTPS  My problem is that on some of the servers I use    SERVER  HTTPS   is an undefined variable that results in an error  Is there another variable I can check that should always be defined   Just to be clear  I am currently using this code to resolve if it is an HTTPS connection   if isset   SERVER  HTTPS           if    SERVER  HTTPS       on              secure connection   true

User · Answer

Here is a re-usable function that I have been using for a while. HTH.

Note: The value of HTTPS_PORT (which is a custom constant in my code) may vary on your envrionment, for example it may be 443 or 81.

/**
 * Determine if this is a secure HTTPS connection
 * 
 * @return  bool    True if it is a secure HTTPS connection, otherwise false.
 */
function isSSL()
{
    if (isset($_SERVER['HTTPS'])) {
        if ($_SERVER['HTTPS'] == 1) {
            return true;
        } elseif ($_SERVER['HTTPS'] == 'on') {
            return true;
        }
    } elseif ($_SERVER['SERVER_PORT'] == HTTPS_PORT) {
        return true;
    }

    return false;
}

User · Answer

secure connection      empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS       off        empty   SERVER  HTTP HTTPS     amp  amp    SERVER  HTTP HTTPS       off        SERVER  REQUEST SCHEME       https       SERVER  SERVER PORT      443    true   false    Code is checking anything possible and works also on IIS web server  Chrome since v44 do not set header HTTP  1 so checking HTTP HTTPS is OK  If this code does not match https it means your webserver or proxy server is poorly configured  Apache itself sets HTTPS flag correctly but there can be problem when you use proxy  e g  nginx   You must set some header in nginx https virtual host  proxy set header   X-HTTPS 1    and use some Apache module to set HTTPS flag correctly by looking for X-HTTPS from proxy  Search for mod fakessl  mod rpaf  etc

User · Answer

I used the main suggestion here and got annoyed at the  PHP Notice  in the logs when HTTPS was not set  You can avoid it by using the null-coalescing operator         if     SERVER  HTTPS       off       off             redirect      Note  not available prior to php v7

User · Answer

This is how i find solve this   https    empty   SERVER  HTTPS     amp  amp  strcasecmp   SERVER  HTTPS     on       0             empty   SERVER  HTTP X FORWARDED PROTO     amp  amp              strcasecmp   SERVER  HTTP X FORWARDED PROTO     https       0   return   https     https        http

User · Answer

If you are using Incapsula s load balancer you ll need to use an IRule to generate a custom header for your server  I created an HTTP X FORWARDED PROTO header that is equal to either  http  if the port is set to 80 and  https  if it is equal to 443

User · Answer

Making my own function from reading all previous posts   public static function isHttps         if  array key exists  HTTPS     SERVER   amp  amp   on        SERVER  HTTPS              return true            if  array key exists  SERVER PORT     SERVER   amp  amp  443      int   SERVER  SERVER PORT              return true            if  array key exists  HTTP X FORWARDED SSL     SERVER   amp  amp   on        SERVER  HTTP X FORWARDED SSL              return true            if  array key exists  HTTP X FORWARDED PROTO     SERVER   amp  amp   https        SERVER  HTTP X FORWARDED PROTO              return true            return false

User · Answer

Chacha  per the PHP documentation   Set to a non-empty value if the script was queried through the HTTPS protocol   So your if statement there will return false in many cases where HTTPS is indeed on  You ll want to verify that   SERVER  HTTPS   exists and is non-empty  In cases where HTTPS is not set correctly for a given server  you can try checking if   SERVER  SERVER PORT       443   But note that some servers will also set   SERVER  HTTPS   to a non-empty value  so be sure to check this variable also   Reference  Documentation for   SERVER and  HTTP SERVER VARS  deprecated

User · Answer

If you don t have control of the web server  amp  don t know which variables have been set  upload this php to find out   lt  php echo  quot  lt br gt 1  quot    SERVER  quot HTTPS quot    echo  quot  lt br gt 2  quot    SERVER  quot SERVER PORT quot    echo  quot  lt br gt 3  quot    SERVER  quot HTTP X FORWARDED PROTO quot    echo  quot  lt br gt 4  quot    SERVER  quot HTTP X FORWARDED SSL quot    echo  quot  lt br gt 5  quot    SERVER  quot HTTP HTTPS quot    echo  quot  lt br gt 6  quot    SERVER  quot REQUEST SCHEME quot      gt    lt html gt   lt body gt   lt br gt  Just cruising  lt  body gt   lt  html gt

User · Answer

The only reliable method is the one described by Igor M    pv URIprotocol   isset   SERVER  HTTPS          SERVER  HTTPS      on       SERVER  HTTPS     1      SERVER  SERVER PORT      pv sslport     https        http             SERVER  SERVER PORT      pv sslport     https        http         Consider following  You are using nginx with fastcgi  by default debian  ubuntu  fastgi params contain directive   fastcgi param  HTTPS                    https   if you are NOT using SSL  it gets translated as empty value  not  off   not 0 and you are doomed   http   unpec blogspot cz 2013 01 nette-nginx-php-fpm-redirect html

User · Answer

As per hobodave s post   Set to a non-empty value if the script was queried through the HTTPS protocol    if   empty   SERVER  HTTPS            secure connection   true

User · Answer

The REAL answer  ready for copy-paste into a  config  script     configuration settings  X edit may 10th  11     pv sslport 443     for it might be different  as also Gabriel Sosa stated     pv serverport 80     X     pv servername  mysite com      X        X appended after correction by Michael Kopinsky    if  isset   SERVER  SERVER NAME          SERVER  SERVER NAME          if  isset   ENV  SERVER NAME               getenv  SERVER NAME               Set to env server name           SERVER  SERVER NAME     ENV  SERVER NAME            if    SERVER  SERVER NAME             X server name still empty      you might set   SERVER  SERVER NAME    pv servername        if  isset   SERVER  SERVER PORT          SERVER  SERVER PORT          if  isset   ENV  SERVER PORT               getenv  SERVER PORT              SERVER  SERVER PORT     ENV  SERVER PORT            if    SERVER  SERVER PORT             X server port still empty      you might set   SERVER  SERVER PORT    pv serverport         pv URIprotocol   isset   SERVER  HTTPS          SERVER  HTTPS      on       SERVER  HTTPS     1      SERVER  SERVER PORT      pv sslport     https        http             SERVER  SERVER PORT      pv sslport     https        http          pv URIprotocol is now correct and ready to be used  example  site  pv URIprotocol   SERVER  SERVER NAME    Naturally  the string could be replaced with TRUE and FALSE also  PV stands for PortalPress Variable as it is a direct copy-paste which will always work  This piece can be used in a production script

User · Answer

On my server  Ubuntu 14 10  Apache 2 4  php 5 5  variable   SERVER  HTTPS   is not set when php script is loaded via https  I don t know what is wrong  But following lines in  htaccess file fix this problem   RewriteEngine on  RewriteCond   HTTPS   on  NC   RewriteRule    -  E HTTPS on NE

User · Answer

My solution  because the standard conditions    SERVER  HTTPS       on   do not work on servers behind a load balancer  is    isSecure   false  if  isset   SERVER  HTTPS     amp  amp    SERVER  HTTPS       on          isSecure   true    elseif   empty   SERVER  HTTP X FORWARDED PROTO     amp  amp    SERVER  HTTP X FORWARDED PROTO       https      empty   SERVER  HTTP X FORWARDED SSL     amp  amp    SERVER  HTTP X FORWARDED SSL       on          isSecure   true     REQUEST PROTOCOL    isSecure    https     http     HTTP X FORWARDED PROTO  a de facto standard for identifying the originating protocol of an HTTP request  since a reverse proxy  load balancer  may communicate with a web server using HTTP even if the request to the reverse proxy is HTTPS http   en wikipedia org wiki List of HTTP header fields Common non-standard request headers

User · Answer

What do you think of this   if  isset   SERVER  HTTPS     amp  amp   empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS       off        scheme    https   else      scheme    http

User · Answer

Shortest way I am using    secure connection    empty   SERVER  HTTPS       If if https is used  then  secure connection is true

User · Answer

I have just had an issue where I was running the server using Apache mod ssl  yet a phpinfo   and a var dump    SERVER   showed that PHP still thinks I m on port 80   Here is my workaround for anyone with the same issue       lt VirtualHost   443 gt    SetEnv HTTPS on   DocumentRoot  var www vhost scratch content   ServerName scratch example com  lt  VirtualHost gt    The line worth noting is the SetEnv line   With this in place and after a restart  you should have the HTTPS environment variable you always dreamt of

User · Answer

I don t think that adding a port is good idea - specially when you got many servers with different builds  that just adds one more thing to remember to change  looking at doc s I think the last line of kaisers is quite good  so that   if  empty   SERVER  HTTPS       if   SERVER  HTTPS      off       return 1    https   else     return 0    http else   return 0    http   seems like perfectly enough

User · Answer

I have occasion to go a step further and determine if the site I m connecting to is SSL capable  one project asks the user for their URL and we need to verify they have installed our API pack on a http or https site    Here s the function I use - basically  just call the URL via cURL to see if https works   function hasSSL  url            take the URL down to the domain name      domain   parse url  url  PHP URL HOST        ch   curl init  https        domain       curl setopt  ch  CURLOPT RETURNTRANSFER  1       curl setopt  ch  CURLOPT CUSTOMREQUEST   HEAD      its a  HEAD     curl setopt  ch  CURLOPT NOBODY  true               no body     curl setopt  ch  CURLOPT FOLLOWLOCATION  true       in case of redirects     curl setopt  ch  CURLOPT VERBOSE  0     turn on if debugging     curl setopt  ch  CURLOPT HEADER  1         head only wanted     curl setopt  ch  CURLOPT CONNECTTIMEOUT  10         we dont want to wait forever     curl exec  ch        header   curl getinfo  ch  CURLINFO HTTP CODE       if   header     200            return true            return false      This is the most reliable way I have found to not only find out IF you are using https  as the question asks   but if you COULD  or even SHOULD  be using https     NOTE  it is possible  though not really likely     that a site could have different http and https pages  so if you are told to use http  maybe you don t need to change     The vast majority of sites are the same  and probably should reroute you themselves  but this additional check has its use  certainly as I said  in the project where the user inputs their site info and you want to make sure from the server side

User · Answer

I know this answer is late  but I combined a bunch of answers and made a simple function that works for all use cases  Try this  function is ssl    if isset   SERVER  HTTP X FORWARDED PROTO     amp  amp    SERVER  HTTP X FORWARDED PROTO     quot https quot    return true    elseif isset   SERVER  HTTPS      return true    elseif   SERVER  SERVER PORT      443   return true    else  return false       Then just use if  for example  if is ssl        WHAT TO DO IF IT IS SSL   HTTPS  else     WHAT TO DO IF IT IS NOT SSL   HTTPS    This code works with Cloudflare  shared hosting providers  etc  Enjoy

User · Answer

I would add a global filter to ensure everything I am checking is correct   function isSSL           https   filter input INPUT SERVER   HTTPS         port   filter input INPUT SERVER   SERVER PORT        if   https             if   https    1                return true            elseif   https     on                 return true                  elseif   port     443             return true             return false

User · Answer

You could check   SERVER  SERVER PORT   as SSL normally runs on port 443  but this is not foolproof

User · Answer

If You use nginx as loadbalancing system check   SERVER  HTTP HTTPS      1 other checks will be fail for ssl

User · Answer

I find these params acceptable as well and more then likely don t have false positives when switching web servers      SERVER  HTTPS KEYSIZE     SERVER  HTTPS SECRETKEYSIZE     SERVER  HTTPS SERVER ISSUER     SERVER  HTTPS SERVER SUBJECT    if   SERVER  HTTPS KEYSIZE      NULL    do foobar

User · Answer

This also works when   SERVER  HTTPS   is undefined   if    empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS       off        SERVER  SERVER PORT      443          enable secure connection

User · Answer

just for interest  chrome canary at the moment sends   HTTPS   1   to the server  and depending on how the server is configured can mean that you get back the following  HTTPS   1  on   This broke our application because we were testing if on  which it obviously isn t   At the moment  only chrome canary seems to do this  but its worth noting that things from canary generally land in  normal  chrome a short while later

User · Answer

This should always work even when    SERVER  HTTPS   is undefined   function isSecure       return       empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS        off            SERVER  SERVER PORT      443      The code is compatible with IIS   From the PHP net documentation and user comments       1  Set to a non-empty value if the script was queried through the HTTPS protocol       2  Note that when using ISAPI with IIS  the value will be  off  if the request was not made through the HTTPS protocol   Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application     Also  Apache 1 x servers  and broken installations  might not have   SERVER  HTTPS   defined even if connecting securely  Although not guaranteed  connections on port 443 are  by convention  likely using secure sockets  hence the additional port check   Additional note  if there is a load balancer between the client and your server  this code doesn t test the connection between the client and the load balancer  but the connection between the load balancer and your server  To test the former connection  you would have to test using the HTTP X FORWARDED PROTO header  but it s much more complex to do  see latest comments below this answer

User · Answer

If your are using Apache you may always count on    SERVER  REQUEST SCHEME     to verify the scheme of the URL requested  But  as mentioned in other answers  it is prudent to verify other parameters before assuming SSL is really being used

[php] How to find out if you're using HTTPS without $_SERVER['HTTPS']

Examples related to php

Examples related to https