Force HTTPS on all pages in the frontend, not just Checkout/Account.htaccess redirect to ssl and non-wwwHow to make https URL to httphttps to http change url through .htaccess in magento sites except checkout or my account pageMagento unsecure URLs set to https > can't access to admin and frontWhy not using a protocol relative Base UrlBase url and Whatsapp button (script embed with secure and unsecure url)Exclude specific frontend URL from https://SSL Installed Checkout and Account Area Still Using HTTP and not HTTPSHow to make the /checkout/cart page load with HTTPS?After Enabling SSL magento still loads default Javascript and CSS files with unsecure URLsMagento unsecure and secure base_url settings in https only
What should I call bands of armed men in the Middle Ages?
Can the IPA represent all languages' tones?
What can Amex do if I cancel their card after using the sign up bonus miles?
What is the difference between 王 and 皇?
Telephone number in spoken words
Is it okay for a ticket seller to grab a tip in the USA?
Boss wants me to ignore a software API license prohibiting mass download
Regex crossword (sudoku?)
Are there really no countries that protect Freedom of Speech as the United States does?
The cat ate your input again!
Can renaming a method preserve encapsulation?
Can I enter the USA with an E-2 visa and a one way flight ticket?
Is it possible to grow new organs through exposure to radioactivity?
Translation of "I don't have anything to smile about"
Authors on the Credibility and Corruption of Modern Science
Is there a way to count the number of lines of text in a file including non-delimited ones?
Why is there a large performance impact when looping over an array over 240 elements?
A continuous water "planet" ring around a star
A torrent of foreign terms
Why aren't rainbows blurred-out into nothing after they are produced?
Are there any other rule mechanics that could grant Thieves' Cant?
How would timezones work on a planet 100 times the size of our Earth
Why does my purified Pokémon need to be healed?
Markov-chain sentence generator in Python
Force HTTPS on all pages in the frontend, not just Checkout/Account
.htaccess redirect to ssl and non-wwwHow to make https URL to httphttps to http change url through .htaccess in magento sites except checkout or my account pageMagento unsecure URLs set to https > can't access to admin and frontWhy not using a protocol relative Base UrlBase url and Whatsapp button (script embed with secure and unsecure url)Exclude specific frontend URL from https://SSL Installed Checkout and Account Area Still Using HTTP and not HTTPSHow to make the /checkout/cart page load with HTTPS?After Enabling SSL magento still loads default Javascript and CSS files with unsecure URLsMagento unsecure and secure base_url settings in https only
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.
I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://...."
It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?
frontend ssl https base-url
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
add a comment |
In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.
I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://...."
It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?
frontend ssl https base-url
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15
add a comment |
In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.
I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://...."
It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?
frontend ssl https base-url
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
In the backend, I've enabled Use Secure URLs in the Frontend. But users can still visit my site through non-secure URLs, except for checkout/account pages.
I want to force secure URLs on all pages. What I do right now is change the unsecure base URL to "https://...."
It seems working. If users use HTTP, they'll be redirected to https. But I wonder if this is the correct way to do it. Any side effects?
frontend ssl https base-url
frontend ssl https base-url
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
edited Jul 12 '17 at 15:27
Rafael Corrêa Gomes
5,1502 gold badges36 silver badges72 bronze badges
5,1502 gold badges36 silver badges72 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
asked Jun 8 '15 at 19:47
ShawnShawn
2611 gold badge8 silver badges19 bronze badges
2611 gold badge8 silver badges19 bronze badges
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15
add a comment |
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15
add a comment |
5 Answers
5
active
oldest
votes
The default answer is, set the unsecure base url to https://
depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ .
But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
add a comment |
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %HTTP_HOST !^localhost$
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule ^ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############################ Force SSL ############################
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
add a comment |
I have tried the previous solutions and even though they seemed to work they locked me out of admin panel (don't completely understand the reason).
To get into the admin panel again I had to get into phpmyadmin and get into to database table core_config_data and change both paths: web/secure/use_in_adminhtml and web/unsecure/base_url get back into the admin panel again. And don't forget to clear out the cache folder if you have to make edits in the database...
So I applied the following .htaccess solution instead which let me login to admin as well
# AFTER THIS SECTION
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization]
# PUT THIS
############# ALL PAGES HTTPS #################
RewriteCond %HTTPS off
RewriteCond %REQUEST_URI !/admin/
RewriteCond %REQUEST_URI !/downloader/
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############# ALL PAGES HTTPS #################
Hope it helps someone
edited Feb 9 '17 at 19:09
Community♦
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
add a comment |
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
add a comment |
Most approaches on .htaccess would redirect most pages to home when accessed via http.
Example:
http://www.mystore.com/productA.html => http://www.mystore.com/
instead of https://www.mystore.com/productA.html
I solved it with the following .htaccess rewrite (Apache only, of course):
#Force SSL
RewriteCond %HTTPS off
RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]
See source.
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "479"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f70405%2fforce-https-on-all-pages-in-the-frontend-not-just-checkout-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
The default answer is, set the unsecure base url to https://
depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ .
But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
add a comment |
The default answer is, set the unsecure base url to https://
depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ .
But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
add a comment |
The default answer is, set the unsecure base url to https://
depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ .
But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
The default answer is, set the unsecure base url to https://
depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ .
But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
edited May 10 '18 at 5:30
Vivek Kumar
2,8042 gold badges7 silver badges33 bronze badges
2,8042 gold badges7 silver badges33 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
answered Jun 8 '15 at 21:52
FlyingmanaFlyingmana
5,1963 gold badges21 silver badges64 bronze badges
5,1963 gold badges21 silver badges64 bronze badges
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
add a comment |
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
Why change the certificate? HSTS "only" makes, that the browser accesses the page from now on only via HTTPS. I made a module for this: github.com/ikonoshirt/StrictTransportSecurity
– Fabian Blechschmidt
Jun 8 '15 at 21:56
1
1
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
Maybe I mixed this up a bit with certificate pinning. Thought the preloading would also contain fingerprint for the certificate
– Flyingmana
Jun 8 '15 at 22:20
2
2
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
@Flyingmana: If you look at the actual HSTS preload list in the Chromium source, the vast majority of entries don't contain a certificate fingerprint or anything of the sort, just the domain name.
– Leigh Brenecki
Jun 9 '15 at 0:18
add a comment |
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %HTTP_HOST !^localhost$
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule ^ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############################ Force SSL ############################
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
add a comment |
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %HTTP_HOST !^localhost$
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule ^ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############################ Force SSL ############################
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
add a comment |
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %HTTP_HOST !^localhost$
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule ^ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############################ Force SSL ############################
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %HTTP_HOST !^localhost$
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule ^ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############################ Force SSL ############################
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
answered Jun 8 '15 at 19:50
BeachhouseBeachhouse
1413 bronze badges
1413 bronze badges
add a comment |
add a comment |
I have tried the previous solutions and even though they seemed to work they locked me out of admin panel (don't completely understand the reason).
To get into the admin panel again I had to get into phpmyadmin and get into to database table core_config_data and change both paths: web/secure/use_in_adminhtml and web/unsecure/base_url get back into the admin panel again. And don't forget to clear out the cache folder if you have to make edits in the database...
So I applied the following .htaccess solution instead which let me login to admin as well
# AFTER THIS SECTION
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization]
# PUT THIS
############# ALL PAGES HTTPS #################
RewriteCond %HTTPS off
RewriteCond %REQUEST_URI !/admin/
RewriteCond %REQUEST_URI !/downloader/
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############# ALL PAGES HTTPS #################
Hope it helps someone
edited Feb 9 '17 at 19:09
Community♦
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
add a comment |
I have tried the previous solutions and even though they seemed to work they locked me out of admin panel (don't completely understand the reason).
To get into the admin panel again I had to get into phpmyadmin and get into to database table core_config_data and change both paths: web/secure/use_in_adminhtml and web/unsecure/base_url get back into the admin panel again. And don't forget to clear out the cache folder if you have to make edits in the database...
So I applied the following .htaccess solution instead which let me login to admin as well
# AFTER THIS SECTION
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization]
# PUT THIS
############# ALL PAGES HTTPS #################
RewriteCond %HTTPS off
RewriteCond %REQUEST_URI !/admin/
RewriteCond %REQUEST_URI !/downloader/
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############# ALL PAGES HTTPS #################
Hope it helps someone
edited Feb 9 '17 at 19:09
Community♦
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
add a comment |
I have tried the previous solutions and even though they seemed to work they locked me out of admin panel (don't completely understand the reason).
To get into the admin panel again I had to get into phpmyadmin and get into to database table core_config_data and change both paths: web/secure/use_in_adminhtml and web/unsecure/base_url get back into the admin panel again. And don't forget to clear out the cache folder if you have to make edits in the database...
So I applied the following .htaccess solution instead which let me login to admin as well
# AFTER THIS SECTION
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization]
# PUT THIS
############# ALL PAGES HTTPS #################
RewriteCond %HTTPS off
RewriteCond %REQUEST_URI !/admin/
RewriteCond %REQUEST_URI !/downloader/
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############# ALL PAGES HTTPS #################
Hope it helps someone
edited Feb 9 '17 at 19:09
Community♦
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
I have tried the previous solutions and even though they seemed to work they locked me out of admin panel (don't completely understand the reason).
To get into the admin panel again I had to get into phpmyadmin and get into to database table core_config_data and change both paths: web/secure/use_in_adminhtml and web/unsecure/base_url get back into the admin panel again. And don't forget to clear out the cache folder if you have to make edits in the database...
So I applied the following .htaccess solution instead which let me login to admin as well
# AFTER THIS SECTION
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization]
# PUT THIS
############# ALL PAGES HTTPS #################
RewriteCond %HTTPS off
RewriteCond %REQUEST_URI !/admin/
RewriteCond %REQUEST_URI !/downloader/
RewriteRule ^(.*)$ https://%HTTP_HOST%REQUEST_URI [L,R=301]
############# ALL PAGES HTTPS #################
Hope it helps someone
edited Feb 9 '17 at 19:09
Community♦
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
edited Feb 9 '17 at 19:09
Community♦
1
edited Feb 9 '17 at 19:09
Community♦
1
edited Feb 9 '17 at 19:09
Community♦
1
1
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
answered Oct 19 '16 at 11:25
GiorgosKGiorgosK
1716 bronze badges
1716 bronze badges
add a comment |
add a comment |
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
add a comment |
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
add a comment |
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
edited Dec 21 '17 at 16:46
Rama Chandran M
2,8028 gold badges16 silver badges30 bronze badges
2,8028 gold badges16 silver badges30 bronze badges
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
answered Dec 21 '17 at 14:29
AndrewAndrew
291 bronze badge
291 bronze badge
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
add a comment |
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
Whoa, good timing. answered yesterday. I believe this should be the answer... at least, it is forcing https on frontend and admin for me without touching apache. The currently selected answer enables HTTPS, but this answer "forces" https.
– Joe Fletcher
Dec 23 '17 at 0:03
1
1
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
This is exactly what the questioner said their tried and that it didn't work
– Dom
Sep 4 '18 at 14:46
add a comment |
Most approaches on .htaccess would redirect most pages to home when accessed via http.
Example:
http://www.mystore.com/productA.html => http://www.mystore.com/
instead of https://www.mystore.com/productA.html
I solved it with the following .htaccess rewrite (Apache only, of course):
#Force SSL
RewriteCond %HTTPS off
RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]
See source.
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
add a comment |
Most approaches on .htaccess would redirect most pages to home when accessed via http.
Example:
http://www.mystore.com/productA.html => http://www.mystore.com/
instead of https://www.mystore.com/productA.html
I solved it with the following .htaccess rewrite (Apache only, of course):
#Force SSL
RewriteCond %HTTPS off
RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]
See source.
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
add a comment |
Most approaches on .htaccess would redirect most pages to home when accessed via http.
Example:
http://www.mystore.com/productA.html => http://www.mystore.com/
instead of https://www.mystore.com/productA.html
I solved it with the following .htaccess rewrite (Apache only, of course):
#Force SSL
RewriteCond %HTTPS off
RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]
See source.
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
Most approaches on .htaccess would redirect most pages to home when accessed via http.
Example:
http://www.mystore.com/productA.html => http://www.mystore.com/
instead of https://www.mystore.com/productA.html
I solved it with the following .htaccess rewrite (Apache only, of course):
#Force SSL
RewriteCond %HTTPS off
RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]
See source.
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
answered Aug 2 at 4:17
Ricardo MartinsRicardo Martins
7265 silver badges23 bronze badges
7265 silver badges23 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f70405%2fforce-https-on-all-pages-in-the-frontend-not-just-checkout-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
ive heard that correct way is to override secure route in config.xml
– user2857
Jun 8 '15 at 20:15