Saturday, October 30, 2010

Enabling HTTP Secure (HTTPS)

HTTPS is a protocol which encrypts HTTP requests (like the kind you just made to see this page) and their responses. This ensures that if someone were able to compromise the network between your computer and the server you are requesting from, they would not be able to listen in or tamper with the communications.
When you visit a site via HTTPS the URL looks like this: When you visit a site via plain (unencrypted) HTTP, it looks like this:

Why is it important to you (and when)

HTTPS is typically used in situations where a user would send sensitive information to a website and interception of that information would be a problem. Commonly this means:
  • Credit cards
  • Passwords and Usernames
  • Identifiable information (Social Security number, State ID numbers, etc)
  • Confidential content
Especially in situations where you as the administrator are sending your Drupal password, or the FTP password for your server across, you should use HTTPS whenever possible to reduce the risk of compromising your web site.
HTTPS also prevents eavesdroppers from obtaining your authenticated session key, which is a cookie sent from your browser with each request to the site, and using it to impersonate you. For example, an attacker may gain administrative access to the site if you are a site administrator accessing the site via HTTP rather than HTTPS. This is known as session hijacking.

For more information and updates about Drupal Development, Drupal Experts and Drupal Programmers visit at


How to enable HTTPS support in Drupal

Web server configuration

  1. Get a certificate. many hosting providers set these up for you - either automatically or for a fee. Simply ask your hosting provider.
  2. Configure your web server. Here are the Apache instructions . Chances are, your webhost will do this for you if you are on shared hosting.

Drupal configuration

  • If you want to support mixed-mode HTTPS and HTTP sessions (i.e. when you login on the HTTPS site, an additional insecure session cookie will be created allowing you to also be logged in on the HTTP site), open up sites/default/settings.php and add $conf['https'] = TRUE;
    Note that this configuration is less secure because the insecure session key will be passed across the network unencrypted, allowing authenticated sessions to be sidejacked. You will need to use contributed modules to prevent hijacked insecure sessions from submitting forms, viewing private data, impersonating users, etc.
    A hijacked insecure session can only be used by attackers (or penetration testers) to gain authenticated access to the HTTP site. It will not be valid on the HTTPS site.
  • For better security, leave $conf['https'] at the default value (FALSE) and setup your site to use HTTPS for all authenticated sessions and HTTP for anonymous sessions. Regardless of the $conf['https'] setting, Drupal 7 automatically enables the session.cookie_secure PHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser.

No comments:

Post a Comment