1

I'm trying to get a login page to redirect to https and all other pages revert to standard http. When I have /login as the address, it shows up as /index.php?page=login and isn't displayed on a secure page.

The htaccess code in question is below :

RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} ^/login$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]

RewriteCond %{REQUEST_URI} !^/login$
RewriteCond %{SERVER_PORT} 443 
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]

RewriteRule ^([a-zA-Z0-9_\-\(\)]+)[/]?$ /index.php?page=$1
Paul
  • 756
  • 1
  • 10
  • 22

1 Answers1

4

It's probably better to do this at the application level, that is, send the "login" link as an HTTPS link directly.

The problem with redirects from HTTP to HTTPS is that the client first makes the request over plain HTTP. In the case where it's only going to the HTTPS initial page, it's not necessarily a problem, but if you send the credentials in an HTTP request that's transparently redirected to an HTTPS page, they'll have been leaked anyway.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • To prevent credentials from being sent in cleartext inadvertently at the application-level you may use a `scheme-source` of `https:` in the CSP [`default-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src). – vhs Mar 15 '19 at 08:24