How can I requiere a route to be HTTPS?


#1

Hello, I’m working with my RESTapi now over HTTP, but I would like some routes (e.g. authentication) be HTTPS for security issues. How should I do it?
Here you can see the structure of the route:

$app->get('/glossaries', function (Request $request, Response $response) {
    if (!$success) {
        $data = array("Error Message" => 'authentication failed');
        $newResponse = $response->withJson($data, 401, JSON_PRETTY_PRINT);
       .......
    }
    else {
        $data = array("Token" => $token);
        $newResponse = $response->withJson($data, 202, JSON_PRETTY_PRINT);
    }
    return $newResponse;
});

Thank you in advance :slight_smile: .!


#2

@ywy9876 I’ve used this in my .htaccess files with success:`

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]`

#3

@robrothedev Thanks for your reply, and if you don’t mind, I would like to make some more questions.

  1. so there is nothing to do with Slim at all?
  2. And for example, using the configuration that your provided, if I use AJAX for authentication making request to http://myapp.com/api/auth (as usual), it will work over HTTPS and thus protecting the credentials I sent as post data? Or I have to use https://myapp.com/api/auth?

Thank you in advance.


#4

.htaccess is an Apache configuration so Slim has nothing to do with it. I used the .htaccess example provided here and added the HTTPS redirects.

Personally for AJAX requests, I would just make sure you use https://. I’m not 100% sure how the .htaccess behaves with AJAX requests.


#5

@robrothedev Thank you for all the information.
Just want to make things clearer. I’m debugging with WAMP (without HTTPS enables), and used the configuration you mentioned, and when I send a GET request with Postman: http://myapp.com/api/xxx, I got Internal Server Error, so I think it’s mandatory to use https://myapp.com/api/xxx?


#6

I don’t have code to hand (apologies; am on my phone) but I do this in middleware as I can guarantee that it will work regardless of the server.

Basically, add a function that gets the request URI and checks the protocol. If it’s not HTTPS then redirect (via 303) to the HTTPS version.

I also use an environment variable to determine whether to enable this or not so that I can test on a non-HTTPS enabled dev environment.

If you can’t work it out from that, give me a couple of days and I’ll be able to give you a working example (y)


#7

@Antnee Hi, thanks for your reply.
But I have some (maybe silly) questions:

  1. If I use redirection method, and I post data with HTTP at first, wouldn’t it be unsafe?
  2. As you said, if it’s not HTTPS request then redirect (via 303) to the HTTPS version. What should I do for implementing the HTTPS version if I have the HTTP version as follow?
$app->get('/auth', function (Request $request, Response $response) {
    .......
    if (!$success) {
        $data = array("Error Message" => 'authentication failed');
        $newResponse = $response->withJson($data, 401, JSON_PRETTY_PRINT);
       .......
    }
    else {
        $data = array("Token" => $token);
        $newResponse = $response->withJson($data, 202, JSON_PRETTY_PRINT);
    }
    return $newResponse;
});

#8

@ywy9876 Are you still getting a server error?


#9

@robrothedev Hi,
yeah, I got result as the following images show, not sure it is related to that I haven’t enabled the HTTPS yet for WAMP:




#10

@ywy9876 Yeah, my guess is that is the issue.


#11

Hi

I have a similar problem to ywy9876, and I have recently setup my remote LAMP server with SSL which works fine with slim. However I get 504 gateway time out error on my routes that connect to mysql. My routes work fine when the same index.php file is on my local XAMPP server (which is not SSL enabled). So it appears to me that the https protocol is not yet working. what you said here seems to be a great solution, but I don’t know where to begin with middleware. Any help appreciated. Thanks