0

(Probably a silly question) I have this link on my HTML file (common HTTP):

<a href="MyWeb.html">Click here</a>

But I would like the MyWeb.html file to be accessed via HTTPS, and I assume I can not simply change the code to:

<a href="https://MyWeb.html">Click here</a>

... because the MyWeb.html file is not (or could not be) at the root web directory.

How can I solve this using HTML, CSS and/or JavaScript?

Sopalajo de Arrierez
  • 3,543
  • 4
  • 34
  • 52
  • Have you considered rewriting HTTP to HTTPS on the server side? – agrm May 23 '20 at 20:44
  • This should be done using your web server, not your html. Check this out: https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server – konrad_pe May 23 '20 at 20:46
  • Sorry, @agrm , I don't understand you. I have a Apache2 web server with https enabled, so I can remotely access my HTML files browsing to both `http://myip/index.html` or `https://myip/index.html` , obtaining same results. – Sopalajo de Arrierez May 23 '20 at 20:48
  • I don't think so, @konrad_pe , if I link to `href="https://myip/whatever/the/path/is/MyWeb.html"` things work fine, but this is not a relative path, so I can not reuse code. – Sopalajo de Arrierez May 23 '20 at 20:51
  • If you are running an Apache server, you can use a `.htaccess` file to enforce HTTPS across your entire website. That way you don't have to do anything to each and every HTML file :o) – agrm May 23 '20 at 20:57
  • If https is set up correctly on your apache (e.g. through the correct setup of .htaccess), using the relative path shouldn't change the protocol. – konrad_pe May 23 '20 at 20:58

2 Answers2

0

It isn't a bullet-proof solution, but you can add a Content Security Policy to your site that indicates browsers should upgrade insecure requests automatically

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

Some options:

// header
Content-Security-Policy: upgrade-insecure-requests;

// meta tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Chase
  • 3,028
  • 14
  • 15
  • Should I put this code on the `MyWeb.html` file, or on the main (say `index.html`) one? – Sopalajo de Arrierez May 23 '20 at 20:53
  • Ideally, all your pages should be accessed over HTTPS where possible. So the best solution would be to put it in the headers or head of ALL pages on the site. You can also upgrade the requests at your Apache webserver by configuring it to force the upgrade. This is a bit more involved, but will fully prevent access of HTTP without an upgrade. See: https://www.tecmint.com/redirect-http-to-https-on-apache/ for that. Note that you can use both methods. The CSP addition may save a couple force redirects since the browser can do it locally. – Chase May 23 '20 at 20:55
  • The downside in your solution is (or so I understand) the upgrading (conversion) to HTTPS for every link in the HTML code, not the one I select. – Sopalajo de Arrierez May 23 '20 at 21:11
  • 1
    Is there a reason you DON'T want to have your visitors use HTTPS? As I mentioned, your best bet is to get them on HTTPS as soon as possible and keep them there for all resources. Mixing schemes will inevitably result in mixed-content warnings and potential security implications. – Chase May 23 '20 at 22:29
  • Mainly performance ( https://stackoverflow.com/questions/149274/http-vs-https-performance ) . – Sopalajo de Arrierez May 23 '20 at 22:43
  • Is it really worth compromising your entire website’s security and integrity, your users and their right to privacy, your search engine rankings etc etc to win a few ms? I’m sure there are hundreds of other things you can do to resolve your performance issues before you abandon a secure protocol. – agrm May 24 '20 at 10:37
0

If you're wondering how to redirect any link to the HTTPS version of the site, use this code in the file .htaccess (Note: you must have Apache installed on your server):

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

.htaccess is often hidden by default, so make sure you turn on show hidden files.

Jij
  • 105
  • 1
  • 2
  • 12