0

I am developing an ecommerce application using PHP. All the pages were accessed through HTTPS, while some of the pages are accessed through HTTP like home page, category listing and product listing. I have used htaccess code for redirection. But in HTTPS pages it shows shield symbol in the address bar and denotes that a web page is partially encrypted. Kindly advice me to resolve.

Htaccess code


    ########### Load Home, Category, Products and Product Detail page with HTTP ##########
    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} index\.php|category|product
    RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    ########### Load other than Home, Category, Products and Product Detail page with HTTPS ##########
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} !(index\.php|category|product)
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
VANI ..
  • 1
  • 1

1 Answers1

2

this is usually caused by having images/javascript/css being served from non-secure places.

The easiest way to fix this is to change all of URLs to relative URLs or remove the scheme...

Good:

<img src="/images/logo.png">
<img src="./images/logo.png">
<img src="//example.com/images/logo.png">

Bad:

<img src="http://example.com/images/logo.png">
<img src="https://example.com/images/logo.png">

Serving any content from a regular "http" URL in a "https" page will always trigger a partially secure warning.

Note:

There are other possible causes for a partially secure page, but this is usually the reason. Beyond that, you can see specifically what is making your page secure by clicking the lock icon near or in the address bar

Nicholas Summers
  • 4,444
  • 4
  • 19
  • 35
  • If your using something like PHP, then you could have it detect if its HTTP or HTTPS and output the links to the content appropriately. – SameOldNick Aug 20 '14 at 03:25
  • Yes **you could**, but it doesn't mean you should. Applying the above methods will allow assets to load correctly on both secure and insecure pages without adding any work for the server. In essence, using PHP to switch out http/https schemes in URLs for your own content is really a waste of time. – Nicholas Summers Aug 20 '14 at 03:28
  • **However,** URLs added by a end-user are a little different. In this case, it is recommended that you remove the scheme for them, like so: http://pastebin.com/iFJx9pKX – Nicholas Summers Aug 20 '14 at 03:38
  • Just a warning that some web browsers may look at ``//example.com/file.jpg`` differently and instead try to request ``http://example.com//example.com/file.jpg`` – SameOldNick Aug 20 '14 at 03:48
  • 1
    I believe that all the [most common browsers](http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-links-to-just) (IE, Chrome, Safari, Firefox, Opera) know exactly how to handle these URLs... – Nicholas Summers Aug 20 '14 at 03:54
  • @ub3rst4r this is a very common concept - if any browsers are handling this incorrectly I'm sure their devs will be fixing it quickly. – scrowler Aug 20 '14 at 03:57
  • @ub3rst4r [RFC 1808](http://tools.ietf.org/html/rfc1808) clearly stands that no browser may look it incorrectly. –  Aug 20 '14 at 04:03