Jump to content

Handbuch:$wgForceHTTPS

From mediawiki.org
This page is a translated version of the page Manual:$wgForceHTTPS and the translation is 32% complete.
Server-URLs und Dateipfade: $wgForceHTTPS
Leitet unsichere HTTP-Anfragen an HTTPS um.
Eingeführt in Version:1.34.3 (Gerrit change 608504; git #c75eef91)
Entfernt in Version:Weiterhin vorhanden
Erlaubte Werte:(Wahrheitswert)
Standardwert:false (gerrit:608504, gerrit:612497, gerrit:615840)

Details

If this setting is true, when an insecure HTTP request is received, always redirect to HTTPS. This overrides and disables the preferhttps user preference, and it overrides $wgSecureLogin and the CanIPUseHTTPS hook.

$wgServer may be either https or protocol-relative. If $wgServer starts with "http://", an exception will be thrown.

If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header "X-Forwarded-Proto: https" should be sent to suppress the redirect.

In addition to setting this to true, for optimal security, the webserver should also be configured to send HTTP Strict Transport Security (HSTS) response headers.

When $wgForceHTTPS is set to false, HTTP/HTTPS preference is tracked on a per-user basis, by a combination of:

  • the prefershttps user preference
  • the cookie forceHTTPS and session metadata (available via Session::shouldForceHTTPS())
  • the PHP method Session::setForceHTTPS()


Verfügbarkeit

This variable was added in MediaWiki 1.35.0 (gerrit:608504). It was backported to 1.34 as part of the MediaWiki 1.34.3 release (gerrit:612497) as well as to 1.31 as part of the MediaWiki 1.31.9 release (gerrit:615840).

Siehe auch