Force HTTPS on website

**sports guy** · 2 Mar 2021, 05:13 PM

I have an old version of Zen Cart (version 139h). http://www.framesforlife.com

I want to force HTTPS right now on all pages, currently HTTPS only shows on checkout pages. It has a plguin installed: Simple SEO URL v3.5.8. I don't see any settings built into the plugin. Is there a way to add something to my .htaccess for force HTTPS on every page?

**DrByte** · 2 Mar 2021, 07:02 PM

If you edit your /includes/configure.php and make BOTH the HTTP_SERVER and HTTPS_SERVER use https://your_site.com (instead of one being http:// and the other being https:// ) does that solve it? Be sure to test login/logout and buy something via checkout.

You could also go further and add an .htaccess rewrite rule, but those are specific to each hosting environment, so talk to your hosting support for specifics.

**mc12345678** · 2 Mar 2021, 07:07 PM

Accomplishing this with an older system such as this is a requires multiple adjustments to do it right.

Yes, the .htacccess file that is needed for your uri rewriter is one place to be touched, but also your includes/configure.php (may be read only when initially attempting to modify), the admin/includes/configure.php file and then on the catalog side there are likely multiple locations where for example

src="http:

Is used. There are other potentially hard coded places that may need updated.

I don't have the link to it, but there is a docs.zen-cart.com help document that covers this aspect, though it is written more from the perspective of current (far newer than 10+ years ago) versions.

**sports guy** · 2 Mar 2021, 07:45 PM

If you edit your /includes/configure.php and make BOTH the HTTP_SERVER and HTTPS_SERVER be https://your_site.com (instead of one being http:// and the other being https:// ) does that solve it?

I updated both configure.php files and the problem still persists. If you click any link located on the site, it does then redirect to HTTPS, but does not automatically redirect or refresh the homepage if I land on http. I am talking to my host right now about adding a .htaccess file.

**sports guy** · 2 Mar 2021, 07:55 PM

Problem solved. Host had to add this coding to my .htaccess file

Code:

RewriteEngine On
RewriteCond %{HTTP_HOST} framesforlife\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.framesforlife.com/$1 [R,L]
Header set content-Security-Policy: upgrade-insecure-requests

Thank you for your assistance!

**mc12345678** · 2 Mar 2021, 09:20 PM

Originally Posted by sports guy

Problem solved. Host had to add this coding to my .htaccess file

Code:

RewriteEngine On
RewriteCond %{HTTP_HOST} framesforlife\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.framesforlife.com/$1 [R,L]
Header set content-Security-Policy: upgrade-insecure-requests

Thank you for your assistance!

Will want to also add a rewrite rule in the event one tries to access the site using https: but without the prefix of www.

Suggest adding this after the above:

Code:

RewriteCond %{HTTP_HOST} ^framesforlife\.com [NC]
RewriteRule ^(.*)$ https://www.framesforlife.com/$1 [R,L]

What this does is to determine if the request is to just the domain name (without www. ) and if so, then redirect to the https: version with the www. prefix.