0

Hi I have a php application I would like the account.php page to be secure however after adding this to the page 

    $use_sts = true;

    // iis sets HTTPS to 'off' for non-SSL requests
    if ($use_sts && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
        header('Strict-Transport-Security: max-age=31536000');
    } elseif ($use_sts) {
        header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'],  true, 301);
        // we are in cleartext at the moment, prevent further execution and output
        die();
    }

however when I browse the page it is set to HTTPS but the content is all over the place when I look at the source it shows file requests using http: 

<script type="text/javascript" src="http://****/assets/jquery.js"></script>
<script type="text/javascript" src="http://****/assets/jquery-ui.js"></script>
<script type="text/javascript" src="http://****/assets/tables.js"></script>
<script type="text/javascript" src="http://****/assets/global.js"></script>
<script type="text/javascript" src="http://****/assets/cycle.js"></script>

is there a way to set a specific page to use SSL

I also tried this with the .htaccess but got the same result 

    # force https for
    RewriteCond %{HTTPS} =off
    RewriteRule ^(index|login)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

thanks

M

user1620523
  • 27
  • 6

1 Answers1

1

You need to remove the http: from the absolute URLs. That will make the browser use the page's current protocol.

<script type="text/javascript" src="//cdn.domain.tld/assets/jquery.js"></script>

If the domain equals the page's domain you can also use absolute paths without a domain:

<script type="text/javascript" src="/assets/jquery.js"></script>
ThiefMaster
  • 310,957
  • 84
  • 592
  • 636