XF 1.4 Disable HTTP and force HTTPS?

[MarkMark]

I run everything through HTTPS, but users can in theory still access the site through HTTP if they change the URL. Is there anyway to disable HTTP altogether and redirect to HTTPS, or would I have to do it through htaccess?

 

[rugk]

Well... you have to make a redirect from HTTP to HTTPS (preferable a 302 redirect), which covers the whole site.,
This can be done in the config of your webserver. For Apache you can e.g. add this to your .htaccess (or any other config file if you run a root server):

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.XXXX.de/$1 [L,R=301]

(of course replace the domain with the domain you want to redirect to)

Additionally you can send a specific header, HSTS, which forces the clients (aka browsers) to directly connect to the HTTPS version of your site even if they receive a HTTP link (or something which tries to access to your site) later. An example for Apache to do this is this:

Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"

Attention: Please note that the number of max-age parameter are seconds. 15768000 seconds are a half year. This is a recommend value, but please note that you have to offer HTTPS in this time. Otherwise your user see an error and can't connect to the side.
However you can change the time (may-age) at any time and e.g. set it to 0. All clients which receive the new header (over HTTPS of course) will update the time. And if it's set to 0 you can later remove the support for HTTPS if you really plan to do so.

 

[Chromaniac]

Yup. Be very careful with this switch. I enabled HSTS and it was hell after I decided to switch back to HTTP.
Only make this change if you are sure that you are going to remain HTTPS permanently. Or at least keep HTTPS as an option because links shared with HTTPS would require the SSL certificate to be available for ever.

 

[rugk]

Yes that's the reason why I added the "attention" part.

 

[MarkMark]

Yeah, I've decided against it. Due to the nature of the site we'd always use SSL, but at the same time if someone really wants to force the page into loading via http, so be it.

 

[rugk]

if someone really wants to force the page into loading via http, so be it.

If it's the user who does so then that's of course okay. (Although there may be users who don't even know you offer HTTPS, because they e.g. came to the site with a HTTP link)
But there is another problem: If it aren't your users which choose to use HTTP this is a potentially attack. It's called SSL Stripping and it's basically that an MITM-attacker serves the user a HTTP page while he accesses the (HTTP or) HTTPS page on the website. HSTS prevents this attack, because a client is (after the first visit) forced to connect with HSTS to the website.