How can I requiere a route to be HTTPS?


#1

Hello, I’m working with my RESTapi now over HTTP, but I would like some routes (e.g. authentication) be HTTPS for security issues. How should I do it?
Here you can see the structure of the route:

$app->get('/glossaries', function (Request $request, Response $response) {
    if (!$success) {
        $data = array("Error Message" => 'authentication failed');
        $newResponse = $response->withJson($data, 401, JSON_PRETTY_PRINT);
       .......
    }
    else {
        $data = array("Token" => $token);
        $newResponse = $response->withJson($data, 202, JSON_PRETTY_PRINT);
    }
    return $newResponse;
});

Thank you in advance :slight_smile: .!


#2

@ywy9876 I’ve used this in my .htaccess files with success:`

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]`

#3

@robrothedev Thanks for your reply, and if you don’t mind, I would like to make some more questions.

  1. so there is nothing to do with Slim at all?
  2. And for example, using the configuration that your provided, if I use AJAX for authentication making request to http://myapp.com/api/auth (as usual), it will work over HTTPS and thus protecting the credentials I sent as post data? Or I have to use https://myapp.com/api/auth?

Thank you in advance.


#4

.htaccess is an Apache configuration so Slim has nothing to do with it. I used the .htaccess example provided here and added the HTTPS redirects.

Personally for AJAX requests, I would just make sure you use https://. I’m not 100% sure how the .htaccess behaves with AJAX requests.


#5

@robrothedev Thank you for all the information.
Just want to make things clearer. I’m debugging with WAMP (without HTTPS enables), and used the configuration you mentioned, and when I send a GET request with Postman: http://myapp.com/api/xxx, I got Internal Server Error, so I think it’s mandatory to use https://myapp.com/api/xxx?


#6

I don’t have code to hand (apologies; am on my phone) but I do this in middleware as I can guarantee that it will work regardless of the server.

Basically, add a function that gets the request URI and checks the protocol. If it’s not HTTPS then redirect (via 303) to the HTTPS version.

I also use an environment variable to determine whether to enable this or not so that I can test on a non-HTTPS enabled dev environment.

If you can’t work it out from that, give me a couple of days and I’ll be able to give you a working example (y)


#7

@Antnee Hi, thanks for your reply.
But I have some (maybe silly) questions:

  1. If I use redirection method, and I post data with HTTP at first, wouldn’t it be unsafe?
  2. As you said, if it’s not HTTPS request then redirect (via 303) to the HTTPS version. What should I do for implementing the HTTPS version if I have the HTTP version as follow?
$app->get('/auth', function (Request $request, Response $response) {
    .......
    if (!$success) {
        $data = array("Error Message" => 'authentication failed');
        $newResponse = $response->withJson($data, 401, JSON_PRETTY_PRINT);
       .......
    }
    else {
        $data = array("Token" => $token);
        $newResponse = $response->withJson($data, 202, JSON_PRETTY_PRINT);
    }
    return $newResponse;
});

#8

@ywy9876 Are you still getting a server error?


#9

@robrothedev Hi,
yeah, I got result as the following images show, not sure it is related to that I haven’t enabled the HTTPS yet for WAMP:




#10

@ywy9876 Yeah, my guess is that is the issue.