Using https if not redirect to https - php

I am doing a project for my PHP class. It is required to check if the user is using https protocol if not, the user should be redirected to https. I found a this topic talking about it in here, and I implemented the code exactly at the beginning of my page. However, when I run the page, it tells me that my connection is not correct. I do not know if I implemented something wrong.

Click advanced -> continue anyway.
You will connect & hopefully your web server redirects you to the HTTPS version.
A lot of modern browsers are starting to do this to sites that don't have SSL chrome & firefox both warn iirc.
Or it's a self signed certificate in which case all modern browsers will warn you.

Related

How to implement HSTS in my website

I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website.
Can anyone help me on this ?
Not sure this is right for Stack Overflow. Then again it covers so many topics that it doesn't fit nicely in any other Stack Exchange site either. So anyway will attempt to answer.
Redirects.
What do you mean "I can redirect my site to https"? You should redirect your site to https now you've gone through the hassle of setting this up so are you doing it? Or are you able to access both http and https? If so find out how to force https even if the user sets up http.
This is set up with a redirect rule on your web server. Not sure whether you have direct access to your config (e.g. .htaccess file if using Apache) or require your host provider to set this up for you.
Google search
Regarding Google Search, once you have the redirect set up, it will take some time for Google to recognise this and update the links in their search index to show the https version of the pages.
Saying that there are ways you can tell Google about this to hurry up the process:
Do you force a redirect to https? If not Google will decide which site to show (http or https) based on a number of factors.
Do you have a site map and have you updated those links to https?
Do you have a rel="canonical" setting in the HTML of any of your pages and is it set to the https version? This tells Google which is the real version of the page if, for example, you allow both http and https versions of the page (not recommended).
Have you registered the https version of your site with Google Search Console? If so are there any errors in there? You can also kick off a re-index request in here.
Have you set all internal links to be https or, better yet, relative links.
Can you update any external links to be https instead of http.
HTTP Strict Transport Security (HSTS)
This is an advanced topic so really wouldn't recommend it until you understand it more. Basically it's a HTTP Header you send back with your webpage over https to tell web browsers "hey I'm an https-only site. From now on, automatically translate any http requests to https automatically before you even send them to me".
It is a good security addition on top of redirects but crucially it does not replace the need for redirects. Redirects need to be in place first to send it to https, at which point your web server can send the HSTS HTTP Header (and which the browser will cache so it knows to change to HTTPS next time).
To set it up you send a HTTP Header like this (but only over https requests).
Strict-Transport-Security "max-age=16070400"
This can be setup in your webserver, or in your php files or any other way you can send HTTP Headers.
Be aware that this we'll prevent your site being available over http, so if you decide to turn off https for whatever reason, then you've basically blocked you're site for up to the max-age time for any browsers that have cached that setting.
For more information on HSTS see here:
301 Redirect and HSTS in .htaccess
But I really don't think that's what you are looking for here. It tells web browsers (like Google Chrome) to force https and is nothing to do with search engines (like Google Search) as, at present, they ignore this Header.

Upgrade to HTTPs if browser supports HTTPs

What is the best way to tell client browser to redirect to HTTPs page if and only if the browser support HTTPs protocol. That's mean that people still can access by using HTTP, but we enforce any user which browser that support HTTPs to use HTTPs.
FAQ
There is no clear motive to do such thing.
Currently, we force all of our user to use HTTPs. If they access to HTTP, they will redirect to HTTPs. The reason that we use HTTPs because it support "HTML5 Push Notification". This feature helps us retent our reader.
However, we also want to submit our website to Facebook Internet.org project which require us to functional without HTTP.
First of all, I don't think this question is actually related to PHP, it seems more like a Server Fault question. But anyway:
There is no clear motive to do such thing.
The only reason why you should imply users won't be able to open HTTPS requests are either because your server isn't SSL/TSL certificated or the certificate is invalid/outdated.
But even so, your client should access the content anyway, given browser's alerts and restrictions, individual to each vendor settings. Both HTTP protocol modes, secure or not, are available unless you set your server to deny the non-secure one after the SSL/TSL implementation, as answered here.
Unless we are talking about extremely old browsers, and by that I mean MS-DOS old, since Netscape released the protocol in Feb/95.

Directing HTTP requests to HTTPS if initial connection is HTTPS but not if it is HTTP

I have a site running WordPress on Apache server and I am attempting to provide both HTTP and HTTPS connections via the same site. I want to allow connections over HTTP without forcing a redirect to HTTPS, unless the client is connecting initially via HTTPS then I want all subsequent HTTP requests to be forwarded to HTTPS to avoid issues with CORS and unsecured content warnings.
I am having some trouble turning up results on how to effectively do this with mod_rewrite alone. Most solutions I find try to force the connections to redirect to HTTPS regardless and will not allow an HTTP connection or vice versa. I have tried a few mod rewrite conditions including making use of the referer string but none seem to work thus far. I must be missing something because I feel that this is indeed possible but I and my search engines alone are stumped.
Maybe I'm just doing something wrong or is this kind of functionality beyond Mod_Rewrite?
I was thinking to use a PHP script but was worried it wouldn't work for some static files since WordPress doesn't handle those requests.
Update:
I have made a php script to detect the version. It sets a cookie which expires in 20 seconds from being set, this is read by Mod_Rewrite and if set it redirects the URLs to HTTPS. This works for most of the subsequent requests of an initial HTTPS request. A few URLs seem to be unaffected by it, not sure exactly why as the cookie hasn't expired by the time of these file requests and the particular rules are before the static file bypass rules in the htaccess file. At any rate that was easy enough to fix by setting the file urls to protocol-less versions.
Some third party sites need domains rewritten though, as they serve https from other domains. On that note I don't think this is actually possible without buffering the whole page and actually re-writing the URLs.
It is possible to detect the initial connection but this must be done using Server Side code, like a PHP script. Then using the detection can be done at Mod_Rewrite level.
Add in the WordPress constraint and things get complicated.
WordPress isn't built to facilitate one install with both protocols allowing access to content. So to accomplish this would require a custom plugin using the detection mentioned earlier, and instead of using Mod_Rewrite to direct requests on the server, we have to buffer WordPress output and logically replace/rewrite URLs in the page before they go to the user if and only if the initial connection for the page is in SSL.
There is only one plugin I have found which does something similar to this, however it doesn't do dynamic detection only gives admin/editors a checkbox option to make a page SSL secured. The plugin is called WordPress HTTPS
Dynamic detection and redirection isn't something SSL was meant for anyways, it's either on or off, and most pages need it that way.
I was originally trying to provide both so I could use a self-signed certificate without worrying that users would get the "warning unsecured connection" messages from their browsers by forcing them to use only SSL connections.
So I'll be purchasing a cert or making a custom plugin.
tkausl is right, you don't really need to do mod_rewrite. You should be able to format links without the protocol and it will automagically select for you.
You can see that google does this with their hosted libraries:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
*Note the lack of http: or https: this will follow the protocol requested by the user.

Can we detect if a root CA certificate is installed?

Is this possible with JavaScript or PHP? I want to be able to detect if my private CA is installed on the user's iOS or Android device. From there I can decide whether to provide instructions for installation or not. I've been "googlin" and haven't found anything useful. Has anyone tried this before? I want to find out what I should spend my time learning. If it's not possible, could you suggest an in browser alternative?
EDIT : I don't have a choice here and it's not my decision. A private CA certificate is going to be used for other security reasons.
I doubt there will be any sort of device query to test this.
I haven't actually done this, but you could probably come up with a test where the JavaScript makes an AJAX request to an https server that uses the certificate you want to test for. If the request succeeds, then the certificate is working. (This question seems to imply that AJAX requests will (correctly) fail if the SSL certificate doens't validate)
Note that, because the scheme (http or https) of the URL will be different (and maybe the domain depending on how you set this up), your test site will have to use the CORS Access-Control-Allow-Origin header to allow the browser to make the request. See: AJAX calls to untrusted (self-signed) HTTPS fail silently
EDIT:
I had some time and put together a very simple example. Goto http://ssl_test.gjp.cc . That page will attempt to make an AJAX request to https://ssl_test2.gjp.cc, which uses a self-signed certificate. Before you trusted ssl_test2, you will see "Failed" on the ssl_test page, however once you trust the certificate for ssl_test2, you should always see "Success" on ssl_test.
Note that this doesn't prove that your user has the CA cert installed - all it proves is that they have configured their browser to trust the test site (ssl_test2). If you never directly point the user to the test site, then they will never have the chance to trust only that site, so this should work reasonably well.
Maybe this will help :
<img src="https://the_site/the_image" onerror="redirectToCertPage()" />

What is https and SSL? How do they work? How can they be used in PHP?

I know the general definition but I need more details on how to implement them in general and PHP in specific, and what exactly are the features I gain from them?
SSL stands for "Secure Socket Layer", and it's a method of encrypted HTTP communication (among other things). It encrypts the traffic between a web browser and a server, making it possible to send secure data without fear of eavesdropping.
SSL is a web-server level technology, and has nothing to do with PHP. You can enable any web server with SSL, whether it has PHP on it or not, and you don't have to write any special PHP code in order to make your PHP pages show up over SSL.
There are many, many guides to be found on the internet about how to set up SSL for whatever webserver you might be using. It's a broad subject. You could start here for Apache.
some webservers are configured to mirror the whole site, so you can get every page over http or https, depending on what you prefer, or how the webbrowser sends them around. https is secure, but a bit slower and it puts more strain on your hardware.
so you might implement your site and shop as usual, but decide to put everything from the cart to the checkout, payment and so on under https. to accomplish this, all links to the shopping cart are absolute and prefixed with https:// instead of http://. now, if people click on the shopping cart icon, they're transfered to the secure version, and because all links from there on are relative again, they stay there.
but! they might replace the https with http manually, or go on the unencrypted version using a malicious link, etc.
in this case, you probably might want to check if your script was called over https (_SERVER["SERVER_PROTOCOL"], afaik), and deny the execution if not (good practice). or issue a redirect to the secure site.
on a side note: https is not using ssl exclusivley anymore, tls (the successor to ssl, see rfc2818) is more modern
rule of thumb: users should have the choice if they want http or https in noncritical environments, but forced to use https on the critical parts of your site (login/cart/payment/...) to prevent malicious attacks.

Categories