Manual:$wgForceHTTPS/de-formal
<translate> Server URLs and file paths</translate>: $wgForceHTTPS | |
---|---|
Redirect insecure HTTP requests to HTTPS. |
|
<translate> Introduced in version:</translate> | 1.34.3 (Gerrit change 608504; git #c75eef91) |
<translate> Removed in version:</translate> | <translate> still in use</translate> |
<translate> Allowed values:</translate> | (boolean) |
<translate> Default value:</translate> | false (gerrit:608504, gerrit:612497, gerrit:615840) |
<translate> Other settings:</translate> <translate> Alphabetical</translate> | <translate> By function</translate> |
Details
If this setting is true, when an insecure HTTP request is received, always redirect to HTTPS. This overrides and disables the preferhttps user preference, and it overrides $wgSecureLogin and the CanIPUseHTTPS hook.
$wgServer may be either https or protocol-relative. If $wgServer starts with "http://", an exception will be thrown.
If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header "X-Forwarded-Proto: https
" should be sent to suppress the redirect.
In addition to setting this to true
, for optimal security, the webserver should also be configured to send HTTP Strict Transport Security (HSTS) response headers.
When $wgForceHTTPS
is set to false
, HTTP/HTTPS preference is tracked on a per-user basis, by a combination of:
- the
prefershttps
user preference - the cookie
forceHTTPS
and session metadata (available viaSession::shouldForceHTTPS()
)- eventual PHP hooks changing session metadata (Manual:Hooks/SessionMetadata )
- the PHP method
Session::setForceHTTPS()
Availability
This variable was added in MediaWiki 1.35.0 (gerrit:608504). It was backported to 1.34 as part of the MediaWiki 1.34.3 release (gerrit:612497) as well as to 1.31 as part of the MediaWiki 1.31.9 release (gerrit:615840).