Jump to content

Manual:HTTPS

From mediawiki.org

MediaWiki supports mixed-protocol HTTP/HTTPS operation, although as of 2020 it's being phased out, in accordance with generic web best practices which suggest making sites HTTPS-only. HTTP communication happens in cleartext, can be eavesdropped on, passwords and user sessions can be stolen, or the user can be hijacked to a fake site via man-in-the-middle attacks. HTTPS communication is encrypted, and the browser cryptographically verifies the server's identity.

Running a HTTPS-only wiki

  • Set $wgForceHTTPS to true; this will redirect all HTTP requests to HTTPS, and set the secure flag on all cookies.
  • If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect. You might also need to set $wgInternalServer , for the benefit of extensions which cause MediaWiki make web requests to itself.
  • Let's Encrypt can provide for free the certificates needed for setting up your site to serve HTTPS
  • Consider enabling strict transport security in your web server, to prevent browsers from being tricked into visiting the site over HTTP and falling victim to phishing attacks.
  • Configuring HTTPS protocol details can be tricky; there are a number of automated audits such as Qualys. SSL Labs' test that can analyse your website and give you advice.

Running a mixed-protocol wiki

A mixed-protocol wiki can be accessed via both HTTP and HTTPS. This is inherently insecure, as HTTP connections can be monitored by third parties, who track what your users do, or steal authentication cookies and temporarily take over user accounts. You will need to set $wgServer to a protocol-relative URL and set $wgCanonicalServer to an absolute URL (up to you whether it is the HTTP or HTTPS one).

  • If you enable $wgSecureLogin , MediaWiki will do its best in this scenario to protect passwords, at least, by forcing users to HTTPS for the duration of their login. Users will be able to set in their preferences (prefershttps user preference) and during login that they prefer HTTPS, in which case they get automatically redirected as if $wgForceHTTPS were enabled.
  • If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect.

Running a HTTP-only wiki

This requires no extra configuration, but is strongly recommended against as it is even more insecure than a mixed-protocol wiki.

Other relevant hooks and configuration settings

  • $wgCookieSecure - for forcing cookies to be HTTPS-only. There shouldn't be any need to change the default value.
  • $wgVaryOnXFP - for setting the appropriate Vary header; might be needed for proxies/CDNs.
  • CanIPUseHTTPS (deprecated in 1.35) - for forcing HTTP for certain IP ranges (intended for traffic from countries where HTTPS communication is blocked).
  • UserRequiresHTTPS (deprecated in 1.35) - for forcing HTTPS for certain users.
  • BeforeHttpsRedirect (deprecated in 1.35) - called before redirecting from HTTP to HTTPS, can alter or prevent the redirect.
  • $wgHttpsPort - for using a non-standard HTTP port.
  • HTTPS-specific features of MediaWiki can be tested in MediaWiki-Vagrant by enabling the https role.
  • For information about the HTTPS-related configuration of Wikimedia websites, see the HTTPS page on Wikitech.