When I go to my Login page, my website cannot load captcha form on that page, because it's using HTTPS.
What changes I should add to my website to allow the captcha to load on my site when it use HTTPS ?
how to make it to work with HTTPS.
I'm using 3rd party captcha service from google. If I remove SSL, then with HTTP my website can load captcha. Also on other pages, google map cannot load too.
Typically https pages won't load http pages, because that could be a security risk. Fortunately, most 3rd party services allow both http and https access. Usually it's as simple as replacing the http in the code they provide with https. Obviously this depends on exactly which tools you are using, and some services from smaller companies aren't available over https at all.
Related
I need to simulate from within an iframe in our site, which uses https and it's loaded only once upon the authentication on our site, the authentication into another site, which only uses http.
How can I do that?
We first tried loading into the iframe a page of our site from which the login form for the remote authentication is automatically submitted with javascript. This cannot be achieved because the http request from the form is blocked by the browser for security reasons. I must clarify that if we use http in our web too, the authentication is done without problems.
I'm not sure if using file_get_contents() will do the trick, because it's not a simple static page what we need to display. We need to keep any data from the remote login (cookies, etc) in the browser so that we can access other parts of the remote web (once I've signed in) from other places of our site. As far as I know, file_get_contents doen't provide any header.
Another alternative I've also considered is curl, using CURLOPT_RETURNTRANSFER=true and CURLOPT_HEADER=true and trying to manually set any cookies I get in the header. I'm not sure if keeping the session implies more actions though.
I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website.
Can anyone help me on this ?
Not sure this is right for Stack Overflow. Then again it covers so many topics that it doesn't fit nicely in any other Stack Exchange site either. So anyway will attempt to answer.
Redirects.
What do you mean "I can redirect my site to https"? You should redirect your site to https now you've gone through the hassle of setting this up so are you doing it? Or are you able to access both http and https? If so find out how to force https even if the user sets up http.
This is set up with a redirect rule on your web server. Not sure whether you have direct access to your config (e.g. .htaccess file if using Apache) or require your host provider to set this up for you.
Google search
Regarding Google Search, once you have the redirect set up, it will take some time for Google to recognise this and update the links in their search index to show the https version of the pages.
Saying that there are ways you can tell Google about this to hurry up the process:
Do you force a redirect to https? If not Google will decide which site to show (http or https) based on a number of factors.
Do you have a site map and have you updated those links to https?
Do you have a rel="canonical" setting in the HTML of any of your pages and is it set to the https version? This tells Google which is the real version of the page if, for example, you allow both http and https versions of the page (not recommended).
Have you registered the https version of your site with Google Search Console? If so are there any errors in there? You can also kick off a re-index request in here.
Have you set all internal links to be https or, better yet, relative links.
Can you update any external links to be https instead of http.
HTTP Strict Transport Security (HSTS)
This is an advanced topic so really wouldn't recommend it until you understand it more. Basically it's a HTTP Header you send back with your webpage over https to tell web browsers "hey I'm an https-only site. From now on, automatically translate any http requests to https automatically before you even send them to me".
It is a good security addition on top of redirects but crucially it does not replace the need for redirects. Redirects need to be in place first to send it to https, at which point your web server can send the HSTS HTTP Header (and which the browser will cache so it knows to change to HTTPS next time).
To set it up you send a HTTP Header like this (but only over https requests).
Strict-Transport-Security "max-age=16070400"
This can be setup in your webserver, or in your php files or any other way you can send HTTP Headers.
Be aware that this we'll prevent your site being available over http, so if you decide to turn off https for whatever reason, then you've basically blocked you're site for up to the max-age time for any browsers that have cached that setting.
For more information on HSTS see here:
301 Redirect and HSTS in .htaccess
But I really don't think that's what you are looking for here. It tells web browsers (like Google Chrome) to force https and is nothing to do with search engines (like Google Search) as, at present, they ignore this Header.
I have a site running WordPress on Apache server and I am attempting to provide both HTTP and HTTPS connections via the same site. I want to allow connections over HTTP without forcing a redirect to HTTPS, unless the client is connecting initially via HTTPS then I want all subsequent HTTP requests to be forwarded to HTTPS to avoid issues with CORS and unsecured content warnings.
I am having some trouble turning up results on how to effectively do this with mod_rewrite alone. Most solutions I find try to force the connections to redirect to HTTPS regardless and will not allow an HTTP connection or vice versa. I have tried a few mod rewrite conditions including making use of the referer string but none seem to work thus far. I must be missing something because I feel that this is indeed possible but I and my search engines alone are stumped.
Maybe I'm just doing something wrong or is this kind of functionality beyond Mod_Rewrite?
I was thinking to use a PHP script but was worried it wouldn't work for some static files since WordPress doesn't handle those requests.
Update:
I have made a php script to detect the version. It sets a cookie which expires in 20 seconds from being set, this is read by Mod_Rewrite and if set it redirects the URLs to HTTPS. This works for most of the subsequent requests of an initial HTTPS request. A few URLs seem to be unaffected by it, not sure exactly why as the cookie hasn't expired by the time of these file requests and the particular rules are before the static file bypass rules in the htaccess file. At any rate that was easy enough to fix by setting the file urls to protocol-less versions.
Some third party sites need domains rewritten though, as they serve https from other domains. On that note I don't think this is actually possible without buffering the whole page and actually re-writing the URLs.
It is possible to detect the initial connection but this must be done using Server Side code, like a PHP script. Then using the detection can be done at Mod_Rewrite level.
Add in the WordPress constraint and things get complicated.
WordPress isn't built to facilitate one install with both protocols allowing access to content. So to accomplish this would require a custom plugin using the detection mentioned earlier, and instead of using Mod_Rewrite to direct requests on the server, we have to buffer WordPress output and logically replace/rewrite URLs in the page before they go to the user if and only if the initial connection for the page is in SSL.
There is only one plugin I have found which does something similar to this, however it doesn't do dynamic detection only gives admin/editors a checkbox option to make a page SSL secured. The plugin is called WordPress HTTPS
Dynamic detection and redirection isn't something SSL was meant for anyways, it's either on or off, and most pages need it that way.
I was originally trying to provide both so I could use a self-signed certificate without worrying that users would get the "warning unsecured connection" messages from their browsers by forcing them to use only SSL connections.
So I'll be purchasing a cert or making a custom plugin.
tkausl is right, you don't really need to do mod_rewrite. You should be able to format links without the protocol and it will automagically select for you.
You can see that google does this with their hosted libraries:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
*Note the lack of http: or https: this will follow the protocol requested by the user.
I have a page that requires SSL because of secure content being transmitted. However I have a third party embedded form on the page which posts to a third party site which does not have an SSL Installed. It works fine except that I get an annoying message by my browser.
"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?"
Is there anyway I can get around this?
If you have no control over the third party application and they have no ssl enabled, than no
Only chance: If the third party has https enabled, you could try to modify the <form action="" attribute to use https, just after site load. But you told that they don't have.
A hacky last chance: You could serve a HTTPS proxy on your site that talks non HTTPS to the third party site. Then modifiy the form action after site load to use that proxy.
So my advices are:
Try to talk (email) to the third party and tell them about your problem. Maybe they will help.
If the first doesn't help than use my proxy attempt. Could be easily implemented in PHP. I can give an example if you want.
I have a shared SSL certificate from my web host which (for this posts sake) looks like this:
https://some-ssl-cert/mysite
Going to that link would go to my site, and display it in https:// with a green padlock.
The normal site is http://
How do I display the main login for the website as https://?
Obviously I cannot tell or redirect my users to https://some-ssl-cert/mysite so I am very confused on how to implement this.
Lastly, when I need to send sensitive information on other pages that aren't https:// would I simply send that information to https://some-ssl-cert/mysite?
So for instance, if I needed to make a secure ajax request or something would I access the .php file via https://some-ssl-cert/mysite?
How do I display the main login for the website as https://?
You need an SSL certificate for the host name used for your site. You also need your host to support it.
Lastly, when I need to send sensitive information on other pages that aren't https:// would I simply send that information to https://some-ssl-cert/mysite?
If you need to send sensitive information, then you need to do it over HTTPS. If you are using plain HTTP then you need to redirect to the HTTPS site.
So for instance, if I needed to make a secure ajax request or something would I access the .php file via https://some-ssl-cert/mysite?
The entire webpage needs to be served over HTTPS. Otherwise:
It will be a cross-origin request and the ajax will fail (CORS/JSONP/et al excepted)
The non-secured page could be interfered with (e.g. JS added that would steal the securely acquired data).