Enter HTTPS

https

In their effort to improve security on the web, Google has been, for some time now, steadily pushing their “HTTPS everywhere” initiative. Besides providing better security for end user by encrypting all traffic between server and browser, HTTPS will most likely be used as a ranking signal. Another interesting fact is that starting from January 2017, Chrome will use icon in the address bar to mark HTTP pages that collect passwords or credit cards as non-secure, as a part of the long-term plan to mark all HTTP sites as non-secure. We can assume that other browsers will adapt this behaviour in the future.

In this blog post, we will cover basic configuration required to run your Magento shop over HTTPS and we will look at some common pitfalls and gotchas.

HTTPS everywhere

Configuring site-wide HTTPS in Magento is easy enough. Assuming that your server is configured properly and that you have a valid SSL certificate, all you have to do is change a few configuration parameters. In System > Configuration > Web update your Unsecure Base URL to start with https, e.g. https://www.example.com/. Additionally, under Secure tab, set both Use Secure URLs in Frontend and Use Secure URLs in Admin to Yes.

This covers the basic configuration required to enable site-wide HTTPS but, as usual, things are never so simple. Let’s take a look at some common issues that can happen once site-wide HTTPS is enabled and how to resolve them.

Redirects

Depending on your configuration, you might face an issue where all your old HTTP links are being redirected to HTTPS homepage.

Example:

http://www.example.com/some-product.html redirects to https://www.example.com/ which is not correct. Expected result is redirect to https://www.example.com/some-product.html

To prevent redirecting to home page, set Auto-redirect to Base URL to No. This option is also located in System > Configuration > Web section. Disabling Auto-redirect, however, introduces another problem. Now both www and non-www variations of your site will be available. This can be fixed with redirect rule on your web server.

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.example.com%{REQUEST_URI} [NE,L,R=301]

The example give is for apache web server. What it does is force both HTTPS and www for all incoming requests.

Mixed content

Another common issue is when static content, most commonly images, css and javascript, are hardcoded to load over http protocol. This will cause your browser to issue mixed content / unsecure page warning. To fix this, you will have to review your templates, layouts, static block, cms pages, etc. and update any static content to load over HTTPS. Alternatively you can also use protocol-relative URLs.

For example: //www.example.com/skin/frontend/rwd/default/images/media/logo.png

Magento EE

If you are planning to run site-wide HTTPS and are using Magento EE, make sure you are at least on version 1.14.1 or later, since in prior versions, full page cache was disabled when on HTTPS.

HTTPS on CDN

Serving static content via CDN over HTTPS may result in additional expense, in case you have to purchase additional SSL certificate(s) for your CDN subdomains. Your CDN provider may also charge you for installing SSL certificate. There are also some free options available which vary depending on the CDN provider, but none of them are ideal. Something to keep in mind when adopting site-wide HTTPS.

And with this we will conclude todays blog post. If you already adopted site-wide HTTPS and faced issues similar to this ones or some not mentioned  in this blog post, let us know in the comments section.

Happy browsing and may the SSL be with you.


About Sasa Brankovic

Backend Developer

Sasa is Certified Magento Developer who loves to play 90s era FPS and RTS games and ride his MTB.

Read more posts by Sasa / Visit Sasa's profile

1 comment

  1. Nice article overall. Please note, however, that disabling the `Auto-Redirect to Base URL` config option can be potentially dangerous. If your Magento install is located in the ‘default’ VirtualHost it may potentially be possible to poison your block and/or page cache with links to another domain or even XSS.

    I’d recommend either leaving the Auto-Redirect option on (the proposed mod_rewrite rules are processed first anyway, so you shouldn’t lose valid ‘link-juice’) or making the RewriteCond more specific so the only HTTP_HOST that can hit Magento is the correct domain:

    RewriteCond %{HTTPS} off [OR]
    RewriteCond %{HTTP_HOST} !^www\.example\.com$
    RewriteRule ^ https://www.example.com%{REQUEST_URI} [NE,L,R=301]

    Some information on HSTS would also be a nice addition or follow up article.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.