3

I am able to force https for a domain using this code:

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule ^index.html$ / [L,R=301]

RewriteCond %{THE_REQUEST} /([^.]+)\.html [NC]
RewriteRule ^ /%1 [L,R]
RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^(.*?)/?$ /$1.html [L]

ErrorDocument 404 /404.html

Now I need to make a get request to a strictly http url using fetch jquery using

fetch('http://universities.hipolabs.com/search?country=canada')           //api for the get request
  .then(response => response.json())
  .then(data => showUnis(data) );

How do i add this exception to the .htaccess file so the get request can work? Any help is appreciated in advance.

RavinderSingh13
  • 130,504
  • 14
  • 57
  • 93
vin shaba
  • 167
  • 3
  • 12

1 Answers1

1

Ideally, you would be sending a custom HTTP request header as part of your client-side JavaScript request. For example, if you are sending the HTTP request header JavaScript-Request: 1 then in your redirect rule in .htaccess it is straight forward to make an exception. For example:

RewriteCond %{ENV:HTTPS} !on
RewriteCond %{HTTP:JavaScript-Request} !1
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then, to make an exception for any other URLs you just need to make sure you are sending the appropriate HTTP request header as part of the request.

Otherwise, you would need to make an exception for this specific URL (and anyone making a request to this URL in their browser will also be excluded from the redirect).

For example:

RewriteCond %{ENV:HTTPS} !on
RewriteCond %{THE_REQUEST} !\s/search\?country=canada\s
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You'll need to clear your browser cache before testing (since 301s are cached persistently by the browser). Test first with 302 (temporary) redirects to avoid potential caching issues.

HOWEVER, this is likely to trigger an insecure browser warning when the initial insecure HTTP request is made and the browser is likely to block the request anyway. Realistically, you need to be HTTPS everywhere.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • Thank you @Mrwhite, but this did not work for me i still got the Mixed Content Error: The page at --- was loaded over HTTPS, but requested an insecure resource 'http://universities.hipolabs.com/search?country=Australia'. This request has been blocked; the content must be served over HTTPS. – vin shaba Jan 10 '23 at 13:26
  • @vinshaba Yes, as I stated at the bottom of my answer: "**HOWEVER**, this is likely to trigger an insecure browser warning" (ie. "Mixed Content Error"). There is no way around this other than having HTTPS "everywhere". – MrWhite Jan 10 '23 at 13:35
  • So your answer is that this is not possible! @MrWhite. What I asked can't be done – vin shaba Jan 10 '23 at 13:45
  • 1
    @vinshaba Well, you can - which is what the directives do in my answer - they make an exception for this specific URL (or request) as you are asking. However, will get the browser security warning first - if the user bypasses/accepts the browser warning (lowering their security) then no redirect occurs, which is what you were asking. Otherwise, if the request is coming from a browser then there is no way to circumvent the browser warning (the browser blocks the initial request), before it even reaches your server. – MrWhite Jan 10 '23 at 14:00
  • @vinshaba You did not state in your question that "mixed content" was the issue (or even that you were making requests via a browser). Note that this is a "browser" security issue. If you are making the request via an "app" (non-browser) or through proxy (that handles the SSL protocol) then the warning can be avoided to some extent. – MrWhite Jan 10 '23 at 14:03
  • Thank you for the effort sir. Let me find another way – vin shaba Jan 10 '23 at 14:05