Jump to content

Recommended Posts

Posted

I have not upgraded my current store to the latest version of 6.1.7 yet because I had a lot of CSRF errors even though the site is not currently on an SSL url. I now have access to upgrade to SSL for the site. 

My question is whether or not there is anything I should be aware of before enabling SSL on my site? Will this cause any issues in my store that I need to be aware of? I am not sure I can undo my SSL upgrade once it is done. However, I do not want to be without the latest and greatest cubecart versions! 

Any advice will be helpful!

Posted

Ensure that you force https in your .htaccess file or better still ask your hosting company to enable HSTS

Check to make sure you dont have any hard-coded urls that start http:// as that will cause the page to be insecure due to mixed content.  Hard coding in skin template files and documents are the normal culprits

Ian

Posted
25 minutes ago, havenswift-hosting said:

Ensure that you force https in your .htaccess file or better still ask your hosting company to enable HSTS

Check to make sure you dont have any hard-coded urls that start http:// as that will cause the page to be insecure due to mixed content.  Hard coding in skin template files and documents are the normal culprits

Ian

hosting company has me on a shared server, not sure how that would work. Is there a method I can use to force https in the htaccess? Is that the setting in the store settings to enable SSL?

Posted
4 hours ago, djcaseanova said:

hosting company has me on a shared server, not sure how that would work. Is there a method I can use to force https in the htaccess? Is that the setting in the store settings to enable SSL?

This is what I use in my .htaccess file - put this right after enabling the RewriteEngine and setting the RewriteBase:

# Require SSL
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "yoursite.com"
ErrorDocument 403 https://yoursite.com

# Require SSL without mod_ssl
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

 

Posted
21 hours ago, djcaseanova said:

hosting company has me on a shared server, Is there a method I can use to force https in the htaccess? Is that the setting in the store settings to enable SSL?

HSTS is great but it does apply server wide but we enable it on all our shared hosting servers.  You need to add directives to the .htaccess to force all pages to be https but what is needed will be specific to how your server is setup - this is why if you search online for this, you will find lots of different answers, all of which could be correct.  You can try what Brian has suggested as that is one common way but if the syntax isnt correct for your server it will stop your whole site from working, so dont change and leave without testing !

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...