How to enforce HTTPS (SSL) on all pages
Please note: The contents of this article apply only to licensed versions of the ProductCart software. They do not apply to stores running as a hosted application under a ProductCart Live agreement.
Overview
As you may have noticed, the Internet is trending towards "All HTTPS; all the time"! With more and more emphasis on security, search engines will soon be factoring a website's practices in this area, into their Page Rankings, as described in the following article:
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
Many ProductCart merchants are asking the question...
What's the best way to force HTTPS ?
Well for starters, you'll need to make sure that you have a Dedicated SSL Certificate installed on your site. SSL (Secure Socket Layer) technology encrypts data exchanged between a server and a browser. When SSL is used, information is exchanged using the HTTPS protocol instead of the HTTP protocol, where data travels unencrypted. The address of a page delivered using the HTTPS protocol will typically become: https://www.myserver.com/mypage.html.Secure Socket Layer (SSL) has largely been replaced by Transport Layer Security (TLS) around the internet. Some technical articles will make a distinction between the two related and very similar systems. For the purposes of discussing general security the terms are often used interchangeably. Because SSL is the long standing familiar term to discus the topic we will use it in this article. If your web host suggests a TLS certificate the distinction won't mater in relation to the information in this article.
SSL Certificates are issued to a specific sub domain (subdomain), so if you generally reference your site with the 'www' sub domain, then make sure that your SSL Certificate is issued to that exact URL/Domain. The following domains are not the same:
http://domain.com
http://www.domain.com
http://store.domain.com
While the 'Root' domain is the same, the sub domains are all different and could even be hosted on different servers. To prevent issues that can occur when a server switches between sub domains, we recommend that you first choose and enforce a single sub domain throughout your entire site (and related navigation links and menus).
Once you have done that and your hosting provider has installed a dedicated SSL Certificate on your server, there are different ways to force all pages to load under HTTPS. There might be a 'setting' for this in the Hosting Control Panel, but we have found that enforcing this through a 'web.config' or '.htaccess' file is efficient. These are small 'text' files that control the behavior of the site or directory in which they reside.
Your server environment will help you determine which one you use. The name of the file must be (exactly)
web.config
OR
.htaccess
You can create these files in Notepad and then upload them to the root directory of your website using an FTP program.
web.config
Most Windows Server envrionments will use a web.config file. The following content in a web.config file will force HTTPS for ALL resources (using a 301 Permanent Redirect):
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear /> <rule name="Redirect to https" stopProcessing="true"> <match url=".*" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" /> </rule> </rules> </rewrite> </system.webServer> </configuration>
.htaccess
Not all web servers will be set up to use an .htaccess file. Your web hosting provider can help you determine if this option is the right option for you. If you host your own website you may be interested in learning more about the necessary set up to use a .htaccess file at https://www.saotn.org/using-htaccess-in-iis/. For the .htaccess file you need fewer lines of code and smaller overall file.RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]
In this case, make sure to edit the URL/Domain to reflect your own, before saving and uploading the file to the Root Directory on the server.
Make sure to test your site using different Protocols and URLs to make sure it's functioning and properly redirecting visitors to the HTTPS page.