Enter HTTPS
In their effort to improve security on the web, Google has been, for some time now, steadily pushing their “HTTPS everywhere” initiative. Besides providing better security for end user by encrypting all traffic between server and browser, HTTPS will most likely be used as a ranking signal. Another interesting fact is that starting from January 2017, Chrome will use icon in the address bar to mark HTTP pages that collect passwords or credit cards as non-secure, as a part of the long-term plan to mark all HTTP sites as non-secure. We can assume that other browsers will adapt this behaviour in the future.
In this blog post, we will cover basic configuration required to run your Magento shop over HTTPS and we will look at some common pitfalls and gotchas.
HTTPS everywhere
Configuring site-wide HTTPS in Magento is easy enough. Assuming that your server is configured properly and that you have a valid SSL certificate, all you have to do is change a few configuration parameters. In System > Configuration > Web update your Unsecure Base URL to start with https, e.g. https://www.example.com/. Additionally, under Secure tab, set both Use Secure URLs in Frontend and Use Secure URLs in Admin to Yes.
This covers the basic configuration required to enable site-wide HTTPS but, as usual, things are never so simple. Let’s take a look at some common issues that can happen once site-wide HTTPS is enabled and how to resolve them.
Redirects
Depending on your configuration, you might face an issue where all your old HTTP links are being redirected to HTTPS homepage.
Example:
http://www.example.com/some-product.html redirects to https://www.example.com/ which is not correct. Expected result is redirect to https://www.example.com/some-product.html
To prevent redirecting to home page, set Auto-redirect to Base URL to No. This option is also located in System > Configuration > Web section. Disabling Auto-redirect, however, introduces another problem. Now both www and non-www variations of your site will be available. This can be fixed with redirect rule on your web server.
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.example.com%{REQUEST_URI} [NE,L,R=301]The example give is for apache web server. What it does is force both HTTPS and www for all incoming requests.
Mixed content
Another common issue is when static content, most commonly images, css and javascript, are hardcoded to load over http protocol. This will cause your browser to issue mixed content / unsecure page warning. To fix this, you will have to review your templates, layouts, static block, cms pages, etc. and update any static content to load over HTTPS. Alternatively you can also use protocol-relative URLs.
For example: //www.example.com/skin/frontend/rwd/default/images/media/logo.png
Magento EE
If you are planning to run site-wide HTTPS and are using Magento EE, make sure you are at least on version 1.14.1 or later, since in prior versions, full page cache was disabled when on HTTPS.
HTTPS on CDN
Serving static content via CDN over HTTPS may result in additional expense, in case you have to purchase additional SSL certificate(s) for your CDN subdomains. Your CDN provider may also charge you for installing SSL certificate. There are also some free options available which vary depending on the CDN provider, but none of them are ideal. Something to keep in mind when adopting site-wide HTTPS.
And with this we will conclude todays blog post. If you already adopted site-wide HTTPS and faced issues similar to this ones or some not mentioned in this blog post, let us know in the comments section.
Happy browsing and may the SSL be with you.
4 comments
I am using following code
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/healthy-library
# First rewrite to HTTPS:
# Don’t put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{REQUEST_URI} !^/healthy-library
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I want to skip the HTTPS redirect for this url http://www.sitename.com/healthy-library. Using the above code, it redirects to https://www.sitename.com/index.php
Any thoughts what could be wrong here?
I am using following code
I want to skip the HTTPS redirect for this url http://www.sitename.com/healthy-library. Using the above code, it redirects to https://www.sitename.com/index.php
Any thoughts what could be wrong here?
Hi, thanks for this article, do i need also to make a new sitemap for the https url?
Nice article overall. Please note, however, that disabling the `Auto-Redirect to Base URL` config option can be potentially dangerous. If your Magento install is located in the ‘default’ VirtualHost it may potentially be possible to poison your block and/or page cache with links to another domain or even XSS.
I’d recommend either leaving the Auto-Redirect option on (the proposed mod_rewrite rules are processed first anyway, so you shouldn’t lose valid ‘link-juice’) or making the RewriteCond more specific so the only HTTP_HOST that can hit Magento is the correct domain:
Some information on HSTS would also be a nice addition or follow up article.