0

I've seen lot of software that tries to determine if current protocol is HTTP or HTTPS, mainly to output links and avoid the Mixed content error.

Usually the software checks some server variables (for example, $_SERVER['HTTP'] in PHP, see this question: PHP Get Site URL Protocol - http vs https).

This method may work, but fails for example when you have a reverse proxy that receives SSL traffic and requests content to a web server over HTTP (so when the software checks the HTTPS status it's off). Web server will response with HTTP links but content is actually server over HTTPS.

There's a simple solution for this: just use links without protocol: '//' instead of 'http://' or 'https://'.

So, my question is: is a better practice to detect current protocol (http or https) instead of just using default protocol for content links (CSS, JS, images, AJAX, etc)? If yes, why is this?

sanzante
  • 844
  • 1
  • 11
  • 28

1 Answers1

0

Using '//' works, but it means your resources must be available with http and https.

So you can simply use 'https://' so you are sure to always use the secure connection, and avoid mixed-content errors.

(Of course, the most secure option is to always use https, with a 301 redirect on http and HSTS)

Tom
  • 4,666
  • 2
  • 29
  • 48
  • The question is more about best pratices than how to solve an issue. Why a contributed software tries to deal with protocol detection instead of using default. About the downside (sholud be available with https and http) I think is not problem because usually, when is https enabled, http is still available at least to redirect client to https. – sanzante Aug 03 '16 at 13:48
  • 1
    If it's available with http through a redirect, it's slower, it's better to directly use the https version. And as the question is about best practice : use https, always. With HPKP. Period. – Tom Aug 03 '16 at 13:51
  • So a software library should always use https? What if who uses the library does not have https available? Honestly, I don't see this as a solution. – sanzante Aug 03 '16 at 16:38
  • @sanzante Your question imply http and https support. And yes, a software library should use https as much as possible. – Tom Aug 03 '16 at 17:28