So. The concern (if can call it that) related to changing HTTP_SERVER to begin with https:. Let's talk about the internet a little.
People reach out to a computer using a web address. Part of that web address is the protocol to use and in some cases some specific information about that protocol. In this case let's keep with http. When someone tries to access your site using http:, the server is configured to accept the request, but then to forward it to https: (encryption is expected to be used and in most cases a different port on the computer).
So the visitor gets redirected to https:, ok. Great.
That method of connection is detected by ZC to indicate that the customer has reached the site using https. So there is software that recognizes that. Knowing that information, ZC prepares to present the page to the customer.
As part of preparing the page, the applicable configure.php file is reviewed/read. It comes across HTTP_SERVER and ENABLE_SSL (store side) and as the files continue to be accessed, anywhere HTTP_SERVER is encountered, the software substitutes the value from the configure.php file. In some cases there is an evaluation performed: if ENABLE_SSL is true, then use HTTPS_SERVER instead. There also are some where if the page was accessed using https: then present all links using https:...
Well, by forcing every arrival by a customer to https:, that means that all links to your site should be by https:. Otherwise, the link would be generated with http:, the link clicked, the server would redirect to https:. In that process, there would initially be an attempt to access without encryption and therefore that information could be captured...
By changing HTTP_SERVER to start with https:, all links generated will always be https: and therefore the server does less "work" and the information that could otherwise be viewable via http: would not be available.
So, in the case of the server forcing all https:, the software should do the same...
Bookmarks