Force checkout pages to redirect to HTTPS

Printable View

22 Feb 2014, 12:49 AM
jennibr

Force checkout pages to redirect to HTTPS

Hello there,

On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?

Thanks!
22 Feb 2014, 02:37 AM
mc12345678

Re: Force checkout pages to redirect to HTTPS

Quote:

Originally Posted by jennibr

Hello there,On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?Thanks!

Although I wouldn't worry about it (otherwise it wouldn't be allowed), I would say that the htaccess file would be the route to go to prevent the affected pages from being able to be loaded sans https. Need to haveit identify that if not a secure connection, and is any of the pages of concern, then to redirect to the samepagename but on the secure host path. That's my two cents worth.As to thelack of concern, what is really being transferred at that point of changing over, and what shopper is going to manually change to a non-secure mode? Next thing too is that on the next page load it should change back I thought, so what does anyone gain by changing over to a nonsecure version of the page while it is displayed?
22 Feb 2014, 06:02 AM
RodG

Re: Force checkout pages to redirect to HTTPS

Quote:

Originally Posted by jennibr

Hello there,

On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?

Thanks!

As "mc12345678" has stated, I wouldn't worry about this. In fact I'd even go as far to say that you should leave it this way because by forcing the use of SSL you will be denying access to those people that aren't using SSL capable browsers.

The only time that this denial would be considered acceptable is if your site is handling credit cart payments directly (IOW not via a Gateway), and this is due to PCI compliance requirements.

Admittedly, very few people would be using a non-SSL capable browser these days, but their $$$ is just as good as anyone elses :)

Cheers
RodG
22 Feb 2014, 04:12 PM
gjh42

Re: Force checkout pages to redirect to HTTPS

This has been discussed in some detail before, and I recall DrByte stressing that no matter what the page URL says when you are typing the order information, it will always be sent securely. That cannot be affected by someone trying to artificially defeat the HTTPS.

This was in regard to some PCI scan company trying to fail somebody's test for bogus reasons.
25 Feb 2014, 04:09 PM
RodG

Re: Force checkout pages to redirect to HTTPS

Quote:

Originally Posted by gjh42

I recall DrByte stressing that no matter what the page URL says when you are typing the order information, it will always be sent securely.

http://stackoverflow.com/questions/8...sl-certificate
25 Feb 2014, 08:55 PM
jennibr

Re: Force checkout pages to redirect to HTTPS

OK, gotcha. What y'all have said makes sense. Thanks, everyone! :-)