How to force drupal 7 to load HTTPS assets?


if everything(SERVER AND HOST SETTINGS) is ok just $conf['https'] = TRUE; in your settings.php.

According to Enabling HTTP Secure (HTTPS)

Drupal configuration :

If you want to support mixed-mode HTTPS and HTTP sessions open up sites/default/settings.php and add $conf['https'] = TRUE;. This enables you use the same session over HTTP and HTTPS both -- but with two cookies where the HTTPS cookie is sent over HTTPS only. You will need to use contributed modules like securepages to do anything useful with this mode, like submitting forms over HTTPS and so on. While your HTTP cookie is still vulnerable to all usual attacks, a hijacked insecure session cookie can only be used to gain authenticated access to the HTTP site. It will not be valid on the HTTPS site. Whether this is a problem or not depends on the needs of your site and the various module configurations. For example, if all forms are set to go through HTTPS and your visitors can see the same information as logged in users then this is not a problem.

For even better security, leave $conf['https'] at the default value (FALSE) and send all authenticated traffic through HTTPS and use HTTP for anonymous sessions. Once again contributed modules like Secure Login or 443 Session can help you here. Drupal 7 automatically enables the session.cookie_secure PHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser. For best-possible security, set up your site to only use HTTPS, and respond to all HTTP requests with a redirect to your HTTPS site. $conf['https'] can be left at its default value (FALSE) on pure-HTTPS sites. Even then, HTTPS is vulnerable to man-in-the-middle attacks if the connection starts out as a HTTP connection before being redirected to HTTPS. Use the HSTS module or set the Strict-Transport-Security header in your webserver to help prevent users from accessing the site without HTTPS.

also you can use Secure Pages module

Description of module :

A small process which will redirect the required pages to a SSL version of the page.

Update also you can in settings.php do: $base_url = 'https://'.$_SERVER['SERVER_NAME'];.

I updated settings.php with: $base_url = 'https://'.$_SERVER['SERVER_NAME'];

The Secure Pages module does this.

A small process which will redirect the required pages to a SSL version of the page.

Tags: Ssl

Similar questions

Force a session to become HTTPS?
I'm working with a very complex legacy D7 site, and very complex requirements (bleaugh). Anyway: I'm working on a deeplinking system that allows a jump to the site, which then logs-in a user (this is based on an encrypted ID), does some other stuff like setting up cookies, and then jumps to the required page. This is fine, except some of them are H...
How to force D8 "Configuration synchronization" to send HTTPS download URL
I have a Drupal 8 site hosted on an Apache Server. There are 2 virtuals hosts : Everything works well, except for the "Configuration synchronization" full export. When I click the "Export" button, I'm redirected to the home page, without any message or log. Enabling the console on my web browser, I saw these calls : The download process of the conf...
How can I force HTTPS for all images?
I'm moving my Drupal 7 website to https but I keep having issues with some images that gets loaded with full path, but with http://. For example the site logo and view images have http:// path. (Inside DB table file_amanged files are all saved with public:// path.) They are all files loaded through the Drupal UI. How can I force all images to use h...
How to force a JS library to be loaded via HTTPS?
How can I force a js library to always load only via SSL? Specifically, I want to get Drupal to always load stripe.js with SSL, because stripe.js refuses to load over http (you get a 403 FORBIDDEN error). I'm loading stripe.js through the Commerce Stripe module. commerce_stripe.libraries.yml looks like this: So I thought this would be sufficient to...
htacess force to https protocol
I have a htaccess file that is forcing http:// connections to https:// however if the user happens to come along to my site at instead of redirect to the same url but on https:// it redirects the user to the home page on a https connection why is this? Below is my .htaccess,
Create drupal content programmatically with custom entity ( assets )
I am using asset module : I creates a new entity type = asset. I get a form where I can add ( document, image, video..). How can I, from a custom module add a content of asset ? I think that I cannot do it the way we creat nodes ... like : Please help thank you

Also ask

We use cookies to deliver the best possible experience on our website. By continuing to use this site, accepting or closing this box, you consent to our use of cookies. To learn more, visit our privacy policy.