How can I force users to access my page over HTTPS instead of HTTP

Question

I ve got just one page that I want to force to be accessed as an HTTPS page  PHP on Apache   How do I do this without making the whole directory require HTTPS  Or  if you submit a form to an HTTPS page from an HTTP page  does it send it by HTTPS instead of HTTP  Here is my example  http   www example com some-page php  I want it to only be accessed through  https   www example com some-page php  Sure  I can put all of the links to this page pointed at the HTTPS version  but that doesn t stop some fool from accessing it through HTTP on purpose    One thing I thought was putting a redirect in the header of the PHP file to check to be sure that they are accessing the HTTPS version  if   SERVER  quot SCRIPT URI quot       quot http   www example com some-page php quot      header  Location  https   www example com some-page php       But that can t be the right way  can it

User · Answer

Use   SERVER  HTTPS   to tell if it is SSL  and redirect to the right place if not   And remember  the page that displays the form does not need to be fed via HTTPS  it s the post back URL that needs it most   Edit  yes  as is pointed out below  it s best to have the entire process in HTTPS  It s much more reassuring - I was pointing out that the post is the most critical part   Also  you need to take care that any cookies are set to be secure  so they will only be sent via SSL  The mod rewrite solution is also very nifty  I ve used it to secure a lot of applications on my own website

User · Answer

You could do it with a  directive and mod rewrite on Apache    lt Location  buyCrap php gt  RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI   lt  Location gt    You could make the Location smarter over time using regular expressions if you want

User · Answer

Had to do something like this when running behind a load balancer  Hat tip https   stackoverflow com a 16076965 766172  function isSecure         return             empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS        off             SERVER  SERVER PORT      443                         empty   SERVER  HTTP X FORWARDED PROTO     amp  amp    SERVER  HTTP X FORWARDED PROTO       https                 empty   SERVER  HTTP X FORWARDED SSL       amp  amp    SERVER  HTTP X FORWARDED SSL       on                       function requireHTTPS         if   isSecure              header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI    TRUE  301           exit

User · Answer

You should force the client to request HTTPS always with HTTP Strict Transport Security  HSTS  headers      Use HTTP Strict Transport Security to force client to use secure connections only  use sts   true      iis sets HTTPS to  off  for non-SSL requests if   use sts  amp  amp  isset   SERVER  HTTPS     amp  amp    SERVER  HTTPS       off         header  Strict-Transport-Security  max-age 31536000      elseif   use sts        header  Location  https       SERVER  HTTP HOST     SERVER  REQUEST URI    true  301          we are in cleartext at the moment  prevent further execution and output     die        Please note that HSTS is supported in most modern browsers  but not universal  Thus the logic above manually redirects the user regardless of support if they end up on HTTP  and then sets the HSTS header so that further client requests should be redirected by the browser if possible

User · Answer

I have used this script and it works well through the site   if empty   SERVER  HTTPS         SERVER  HTTPS       off         redirect    https         SERVER  HTTP HOST       SERVER  REQUEST URI        enter code hereheader  HTTP 1 1 301 Moved Permanently        header  Location       redirect       exit

User · Answer

You could do it with a  directive and mod rewrite on Apache    lt Location  buyCrap php gt  RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI   lt  Location gt    You could make the Location smarter over time using regular expressions if you want

User · Answer

If you use Apache or something like LiteSpeed  which supports  htaccess files  you can do the following  If you don t already have a  htaccess file  you should create a new  htaccess file in your root directory  usually where your index php is located   Now add these lines as the first rewrite rules in your  htaccess   RewriteEngine On RewriteCond   HTTPS  off RewriteRule        https     HTTP HOST   REQUEST URI   L R 301    You only need the instruction  RewriteEngine On  once in your  htaccess for all rewrite rules  so if you already have it  just copy the second and third line   I hope this helps

User · Answer

If you want to use PHP to do this then this way worked really well for me    lt  php  if  isset   SERVER  quot HTTPS quot         SERVER  quot HTTPS quot       quot on quot         header  quot Location  https    quot      SERVER  quot HTTP HOST quot       SERVER  quot REQUEST URI quot    true  301         Prevent the rest of the script from executing      exit      gt    It checks the HTTPS variable in the   SERVER superglobal array to see if it equal to    on     If the variable is not equal to on

User · Answer

Using this is NOT enough   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit        If you have any http content  like an external http image source   the browser will detect a possible threat  So be sure all your ref and src inside your code are https

User · Answer

lt  php     Require https if    SERVER  HTTPS       on          url    https        SERVER  SERVER NAME       SERVER  REQUEST URI        header  Location   url        exit      gt    That easy

User · Answer

You shouldn t for security reasons  Especially if cookies are in play here  It leaves you wide open to cookie-based replay attacks    Either way  you should use Apache control rules to tune it   Then you can test for HTTPS being enabled and redirect as-needed where needed    You should redirect to the pay page only using a FORM POST  no get    and accesses to the page without a POST should be directed back to the other pages    This will catch the people just hot-jumping     http   joseph randomnetworks com archives 2004 07 22 redirect-to-ssl-using-apaches-htaccess   Is a good place to start  apologies for not providing more  But you really should shove everything through SSL   It s over-protective  but at least you have less worries

User · Answer

Use   SERVER  HTTPS   to tell if it is SSL  and redirect to the right place if not   And remember  the page that displays the form does not need to be fed via HTTPS  it s the post back URL that needs it most   Edit  yes  as is pointed out below  it s best to have the entire process in HTTPS  It s much more reassuring - I was pointing out that the post is the most critical part   Also  you need to take care that any cookies are set to be secure  so they will only be sent via SSL  The mod rewrite solution is also very nifty  I ve used it to secure a lot of applications on my own website

User · Answer

use htaccess    if domain has www  and not https      RewriteCond   HTTPS   off  NC    RewriteCond   HTTP HOST     i www                      RewriteRule        https     HTTP HOST   REQUEST URI   QSA L R 307    if domain has not www    RewriteCond   HTTP HOST                      RewriteRule        https   www   HTTP HOST   REQUEST URI   QSA L R 307

User · Answer

You could do it with a  directive and mod rewrite on Apache    lt Location  buyCrap php gt  RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI   lt  Location gt    You could make the Location smarter over time using regular expressions if you want

User · Answer

If you want to use PHP to do this then this way worked really well for me    lt  php  if  isset   SERVER  quot HTTPS quot         SERVER  quot HTTPS quot       quot on quot         header  quot Location  https    quot      SERVER  quot HTTP HOST quot       SERVER  quot REQUEST URI quot    true  301         Prevent the rest of the script from executing      exit      gt    It checks the HTTPS variable in the   SERVER superglobal array to see if it equal to    on     If the variable is not equal to on

User · Answer

As an alternative  you can make use of X-Forwarded-Proto header to force a redirect to HTTPS  add these lines in the  htaccess file     Force HTTPS RewriteCond   HTTP X-Forwarded-Proto   https RewriteRule   https     HTTP HOST   REQUEST URI   L R 301

User · Answer

The way I ve done it before is basically like what you wrote  but doesn t have any hardcoded values   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

Don t mix HTTP and HTTPS on the same page  If you have a form page that is served up via HTTP  I m going to be nervous about submitting data -- I can t see if the submit goes over HTTPS or HTTP without doing a View Source and hunting for it   Serving up the form over HTTPS along with the submit link isn t that heavy a change for the advantage

User · Answer

The way I ve done it before is basically like what you wrote  but doesn t have any hardcoded values   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

The PHP way    is https false  if  isset   SERVER  HTTPS      is https   SERVER  HTTPS    if   is https      on         header  Location  https       SERVER  HTTP HOST     SERVER  REQUEST URI         exit 1       The Apache mod rewrite way   RewriteCond   HTTPS    on RewriteRule   https     HTTP HOST   REQUEST URI   L R 301

User · Answer

You should force the client to request HTTPS always with HTTP Strict Transport Security  HSTS  headers      Use HTTP Strict Transport Security to force client to use secure connections only  use sts   true      iis sets HTTPS to  off  for non-SSL requests if   use sts  amp  amp  isset   SERVER  HTTPS     amp  amp    SERVER  HTTPS       off         header  Strict-Transport-Security  max-age 31536000      elseif   use sts        header  Location  https       SERVER  HTTP HOST     SERVER  REQUEST URI    true  301          we are in cleartext at the moment  prevent further execution and output     die        Please note that HSTS is supported in most modern browsers  but not universal  Thus the logic above manually redirects the user regardless of support if they end up on HTTP  and then sets the HSTS header so that further client requests should be redirected by the browser if possible

User · Answer

Ok   Now there is tons of stuff on this now but no one really completes the   Secure  question   For me it is rediculous to use something that is insecure   Unless you use it as bait      SERVER propagation can be changed at the will of someone who knows how   Also as Sazzad Tushar Khan and the thebigjc stated you can also use httaccess to do this and there are a lot of answers here containing it  Just add   RewriteEngine On RewriteCond   SERVER PORT  80 RewriteRule        https   example com  1  R L    to the end of what you have in your  httaccess and thats that   Still we are not as secure as we possibly can be with these 2 tools   The rest is simple  If there are missing attributes ie     if empty   SERVER  HTTPS         SOMETHING IS FISHY    if strstr   SERVER  HTTP HOST    mywebsite com       FALSE     Something is FISHY       Also say you have updated your httaccess file and you check   if   SERVER  HTTPS        on      Something is fishy     There are a lot more variables you can check ie     HOST URI  If there are static atributes about it to check   HTTP USER AGENT  Same session different values   So all Im saying is dont just settle for one or the other when the answer lies in a combination  For more httaccess rewriting info see the docs-  http   httpd apache org docs 2 0 misc rewriteguide html Some Stacks here -  Force SSL https using  htaccess and mod rewrite and Getting the full URL of the current page  PHP  to name a couple

User · Answer

I just created a  htaccess file and added    RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI    Simple

User · Answer

The PHP way    is https false  if  isset   SERVER  HTTPS      is https   SERVER  HTTPS    if   is https      on         header  Location  https       SERVER  HTTP HOST     SERVER  REQUEST URI         exit 1       The Apache mod rewrite way   RewriteCond   HTTPS    on RewriteRule   https     HTTP HOST   REQUEST URI   L R 301

User · Answer

Using this is NOT enough   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit        If you have any http content  like an external http image source   the browser will detect a possible threat  So be sure all your ref and src inside your code are https

User · Answer

You could do it with a  directive and mod rewrite on Apache    lt Location  buyCrap php gt  RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI   lt  Location gt    You could make the Location smarter over time using regular expressions if you want

User · Answer

I have used this script and it works well through the site   if empty   SERVER  HTTPS         SERVER  HTTPS       off         redirect    https         SERVER  HTTP HOST       SERVER  REQUEST URI        enter code hereheader  HTTP 1 1 301 Moved Permanently        header  Location       redirect       exit

User · Answer

Ok   Now there is tons of stuff on this now but no one really completes the   Secure  question   For me it is rediculous to use something that is insecure   Unless you use it as bait      SERVER propagation can be changed at the will of someone who knows how   Also as Sazzad Tushar Khan and the thebigjc stated you can also use httaccess to do this and there are a lot of answers here containing it  Just add   RewriteEngine On RewriteCond   SERVER PORT  80 RewriteRule        https   example com  1  R L    to the end of what you have in your  httaccess and thats that   Still we are not as secure as we possibly can be with these 2 tools   The rest is simple  If there are missing attributes ie     if empty   SERVER  HTTPS         SOMETHING IS FISHY    if strstr   SERVER  HTTP HOST    mywebsite com       FALSE     Something is FISHY       Also say you have updated your httaccess file and you check   if   SERVER  HTTPS        on      Something is fishy     There are a lot more variables you can check ie     HOST URI  If there are static atributes about it to check   HTTP USER AGENT  Same session different values   So all Im saying is dont just settle for one or the other when the answer lies in a combination  For more httaccess rewriting info see the docs-  http   httpd apache org docs 2 0 misc rewriteguide html Some Stacks here -  Force SSL https using  htaccess and mod rewrite and Getting the full URL of the current page  PHP  to name a couple

User · Answer

I have been through many solutions with checking the status of   SERVER HTTPS   but seems like it is not reliable because sometimes it does not set or set to on  off  etc  causing the script to internal loop redirect   Here is the most reliable solution if your server supports   SERVER SCRIPT URI   if  stripos substr   SERVER SCRIPT URI   0  5    https       false        header  location https     SERVER HTTP HOST   SERVER REQUEST URI         echo   lt meta http-equiv  refresh  content  0  url https     SERVER HTTP HOST   SERVER REQUEST URI   gt        exit      Please note that depending on your installation  your server might not support   SERVER SCRIPT URI  but if it does  this is the better script to use   You can check here  Why do some PHP installations have   SERVER  SCRIPT URI   and others not

User · Answer

You shouldn t for security reasons  Especially if cookies are in play here  It leaves you wide open to cookie-based replay attacks    Either way  you should use Apache control rules to tune it   Then you can test for HTTPS being enabled and redirect as-needed where needed    You should redirect to the pay page only using a FORM POST  no get    and accesses to the page without a POST should be directed back to the other pages    This will catch the people just hot-jumping     http   joseph randomnetworks com archives 2004 07 22 redirect-to-ssl-using-apaches-htaccess   Is a good place to start  apologies for not providing more  But you really should shove everything through SSL   It s over-protective  but at least you have less worries

User · Answer

I just created a  htaccess file and added    RewriteEngine On RewriteCond   HTTPS  off RewriteRule      https     HTTP HOST   REQUEST URI    Simple

User · Answer

Don t mix HTTP and HTTPS on the same page  If you have a form page that is served up via HTTP  I m going to be nervous about submitting data -- I can t see if the submit goes over HTTPS or HTTP without doing a View Source and hunting for it   Serving up the form over HTTPS along with the submit link isn t that heavy a change for the advantage

User · Answer

Force HTTPS for security if   SERVER  HTTPS       on          pageURL    Location  https          if    SERVER  SERVER PORT       80              pageURL      SERVER  SERVER NAME             SERVER  SERVER PORT       SERVER  REQUEST URI          else            pageURL      SERVER  SERVER NAME       SERVER  REQUEST URI              header  pageURL

User · Answer

http   www besthostratings com articles force-ssl-htaccess html  Sometimes you may need to make sure that the user is browsing your site over securte connection  An easy to way to always redirect the user to secure connection  https     can be accomplished with a  htaccess file containing the following lines   RewriteEngine On  RewriteCond   SERVER PORT  80  RewriteRule        https   www example com  1  R L    Please  note that the  htaccess should be located in the web site main folder   In case you wish to force HTTPS for a particular folder you can use   RewriteEngine On  RewriteCond   SERVER PORT  80  RewriteCond   REQUEST URI  somefolder  RewriteRule        https   www domain com somefolder  1  R L    The  htaccess file should be placed in the folder where you need to force HTTPS

User · Answer

The way I ve done it before is basically like what you wrote  but doesn t have any hardcoded values   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

Don t mix HTTP and HTTPS on the same page  If you have a form page that is served up via HTTP  I m going to be nervous about submitting data -- I can t see if the submit goes over HTTPS or HTTP without doing a View Source and hunting for it   Serving up the form over HTTPS along with the submit link isn t that heavy a change for the advantage

User · Answer

If you use Apache or something like LiteSpeed  which supports  htaccess files  you can do the following  If you don t already have a  htaccess file  you should create a new  htaccess file in your root directory  usually where your index php is located   Now add these lines as the first rewrite rules in your  htaccess   RewriteEngine On RewriteCond   HTTPS  off RewriteRule        https     HTTP HOST   REQUEST URI   L R 301    You only need the instruction  RewriteEngine On  once in your  htaccess for all rewrite rules  so if you already have it  just copy the second and third line   I hope this helps

User · Answer

For those using IIS adding this line in the web config will help    lt httpProtocol gt       lt customHeaders gt           lt add name  Strict-Transport-Security  value  max-age 31536000   gt       lt  customHeaders gt   lt  httpProtocol gt   lt rewrite gt       lt rules gt           lt rule name  HTTP to HTTPS redirect  stopProcessing  true  gt                 lt match url          gt                 lt conditions gt                    lt add input   HTTPS   pattern  off  ignoreCase  true    gt                 lt  conditions gt                 lt action type  Redirect  redirectType  Found  url  https    HTTP HOST   R 1     gt            lt  rule gt       lt  rules gt   lt  rewrite gt    A full example file   lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt httpProtocol gt               lt customHeaders gt                   lt add name  Strict-Transport-Security  value  max-age 31536000   gt                lt  customHeaders gt           lt  httpProtocol gt           lt rewrite gt               lt rules gt                   lt rule name  HTTP to HTTPS redirect  stopProcessing  true  gt                         lt match url          gt                         lt conditions gt                            lt add input   HTTPS   pattern  off  ignoreCase  true    gt                         lt  conditions gt                         lt action type  Redirect  redirectType  Found  url  https    HTTP HOST   R 1     gt                    lt  rule gt               lt  rules gt          lt  rewrite gt      lt  system webServer gt   lt  configuration gt

User · Answer

Force HTTPS for security if   SERVER  HTTPS       on          pageURL    Location  https          if    SERVER  SERVER PORT       80              pageURL      SERVER  SERVER NAME             SERVER  SERVER PORT       SERVER  REQUEST URI          else            pageURL      SERVER  SERVER NAME       SERVER  REQUEST URI              header  pageURL

User · Answer

use htaccess    if domain has www  and not https      RewriteCond   HTTPS   off  NC    RewriteCond   HTTP HOST     i www                      RewriteRule        https     HTTP HOST   REQUEST URI   QSA L R 307    if domain has not www    RewriteCond   HTTP HOST                      RewriteRule        https   www   HTTP HOST   REQUEST URI   QSA L R 307

User · Answer

Don t mix HTTP and HTTPS on the same page  If you have a form page that is served up via HTTP  I m going to be nervous about submitting data -- I can t see if the submit goes over HTTPS or HTTP without doing a View Source and hunting for it   Serving up the form over HTTPS along with the submit link isn t that heavy a change for the advantage

User · Answer

Use   SERVER  HTTPS   to tell if it is SSL  and redirect to the right place if not   And remember  the page that displays the form does not need to be fed via HTTPS  it s the post back URL that needs it most   Edit  yes  as is pointed out below  it s best to have the entire process in HTTPS  It s much more reassuring - I was pointing out that the post is the most critical part   Also  you need to take care that any cookies are set to be secure  so they will only be sent via SSL  The mod rewrite solution is also very nifty  I ve used it to secure a lot of applications on my own website

User · Answer

You shouldn t for security reasons  Especially if cookies are in play here  It leaves you wide open to cookie-based replay attacks    Either way  you should use Apache control rules to tune it   Then you can test for HTTPS being enabled and redirect as-needed where needed    You should redirect to the pay page only using a FORM POST  no get    and accesses to the page without a POST should be directed back to the other pages    This will catch the people just hot-jumping     http   joseph randomnetworks com archives 2004 07 22 redirect-to-ssl-using-apaches-htaccess   Is a good place to start  apologies for not providing more  But you really should shove everything through SSL   It s over-protective  but at least you have less worries

User · Answer

I have been through many solutions with checking the status of   SERVER HTTPS   but seems like it is not reliable because sometimes it does not set or set to on  off  etc  causing the script to internal loop redirect   Here is the most reliable solution if your server supports   SERVER SCRIPT URI   if  stripos substr   SERVER SCRIPT URI   0  5    https       false        header  location https     SERVER HTTP HOST   SERVER REQUEST URI         echo   lt meta http-equiv  refresh  content  0  url https     SERVER HTTP HOST   SERVER REQUEST URI   gt        exit      Please note that depending on your installation  your server might not support   SERVER SCRIPT URI  but if it does  this is the better script to use   You can check here  Why do some PHP installations have   SERVER  SCRIPT URI   and others not

User · Answer

For those using IIS adding this line in the web config will help    lt httpProtocol gt       lt customHeaders gt           lt add name  Strict-Transport-Security  value  max-age 31536000   gt       lt  customHeaders gt   lt  httpProtocol gt   lt rewrite gt       lt rules gt           lt rule name  HTTP to HTTPS redirect  stopProcessing  true  gt                 lt match url          gt                 lt conditions gt                    lt add input   HTTPS   pattern  off  ignoreCase  true    gt                 lt  conditions gt                 lt action type  Redirect  redirectType  Found  url  https    HTTP HOST   R 1     gt            lt  rule gt       lt  rules gt   lt  rewrite gt    A full example file   lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt httpProtocol gt               lt customHeaders gt                   lt add name  Strict-Transport-Security  value  max-age 31536000   gt                lt  customHeaders gt           lt  httpProtocol gt           lt rewrite gt               lt rules gt                   lt rule name  HTTP to HTTPS redirect  stopProcessing  true  gt                         lt match url          gt                         lt conditions gt                            lt add input   HTTPS   pattern  off  ignoreCase  true    gt                         lt  conditions gt                         lt action type  Redirect  redirectType  Found  url  https    HTTP HOST   R 1     gt                    lt  rule gt               lt  rules gt          lt  rewrite gt      lt  system webServer gt   lt  configuration gt

User · Answer

maybe this one can help  you  that s how I did for my website  it works like a charm     protocol     SERVER  HTTP CF VISITOR     if   strstr  protocol   https         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

Had to do something like this when running behind a load balancer  Hat tip https   stackoverflow com a 16076965 766172  function isSecure         return             empty   SERVER  HTTPS     amp  amp    SERVER  HTTPS        off             SERVER  SERVER PORT      443                         empty   SERVER  HTTP X FORWARDED PROTO     amp  amp    SERVER  HTTP X FORWARDED PROTO       https                 empty   SERVER  HTTP X FORWARDED SSL       amp  amp    SERVER  HTTP X FORWARDED SSL       on                       function requireHTTPS         if   isSecure              header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI    TRUE  301           exit

User · Answer

As an alternative  you can make use of X-Forwarded-Proto header to force a redirect to HTTPS  add these lines in the  htaccess file     Force HTTPS RewriteCond   HTTP X-Forwarded-Proto   https RewriteRule   https     HTTP HOST   REQUEST URI   L R 301

User · Answer

http   www besthostratings com articles force-ssl-htaccess html  Sometimes you may need to make sure that the user is browsing your site over securte connection  An easy to way to always redirect the user to secure connection  https     can be accomplished with a  htaccess file containing the following lines   RewriteEngine On  RewriteCond   SERVER PORT  80  RewriteRule        https   www example com  1  R L    Please  note that the  htaccess should be located in the web site main folder   In case you wish to force HTTPS for a particular folder you can use   RewriteEngine On  RewriteCond   SERVER PORT  80  RewriteCond   REQUEST URI  somefolder  RewriteRule        https   www domain com somefolder  1  R L    The  htaccess file should be placed in the folder where you need to force HTTPS

User · Answer

Use   SERVER  HTTPS   to tell if it is SSL  and redirect to the right place if not   And remember  the page that displays the form does not need to be fed via HTTPS  it s the post back URL that needs it most   Edit  yes  as is pointed out below  it s best to have the entire process in HTTPS  It s much more reassuring - I was pointing out that the post is the most critical part   Also  you need to take care that any cookies are set to be secure  so they will only be sent via SSL  The mod rewrite solution is also very nifty  I ve used it to secure a lot of applications on my own website

User · Answer

The way I ve done it before is basically like what you wrote  but doesn t have any hardcoded values   if   SERVER  HTTPS       on         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

lt  php     Require https if    SERVER  HTTPS       on          url    https        SERVER  SERVER NAME       SERVER  REQUEST URI        header  Location   url        exit      gt    That easy

User · Answer

maybe this one can help  you  that s how I did for my website  it works like a charm     protocol     SERVER  HTTP CF VISITOR     if   strstr  protocol   https         header  Location  https         SERVER  HTTP HOST       SERVER  REQUEST URI         exit

User · Answer

You shouldn t for security reasons  Especially if cookies are in play here  It leaves you wide open to cookie-based replay attacks    Either way  you should use Apache control rules to tune it   Then you can test for HTTPS being enabled and redirect as-needed where needed    You should redirect to the pay page only using a FORM POST  no get    and accesses to the page without a POST should be directed back to the other pages    This will catch the people just hot-jumping     http   joseph randomnetworks com archives 2004 07 22 redirect-to-ssl-using-apaches-htaccess   Is a good place to start  apologies for not providing more  But you really should shove everything through SSL   It s over-protective  but at least you have less worries

[php] How can I force users to access my page over HTTPS instead of HTTP?

Examples related to php

Examples related to apache

Examples related to ssl

Examples related to https