Converting Your Magento Store to HTTPS

Converting Your Magento Store to HTTPS

Nowadays Google has been pushing the famous “HTTPS everywhere” initiative. HTTPS provides better security for end-users by encrypting all traffic between server and browser, but it’s also used as a ranking signal. In this blog post, we will cover the configuration steps required to run a Magento site over HTTPS. Moreover, we’ll have a look at some common issues that may arise and provide solutions on how to fix them.

HTTP (HyperText Transfer Protocol) is a set of rules for sharing different types of information over www. HTTP acts as a layer between the client and the server, where the client sends a request and the server provides a response using the rules defined by the protocol.

SSL Certificate → an agreement of choosing the appropriate certificate for your store, which is provided by legal companies. This certificate serves the purpose of providing a warranty, and it will show up every time a client accesses your store. A typical SSL certificate is a small data file that contains the organization’s details and cryptographic keys.

Magento Platform – HTTPS setup process

HTTPS everywhere

Converting a site from HTTP to https is a relatively easy process. The first step is to have your server configured properly and have a valid SSL certificate. Next, you just have to change a few configuration parameters in the Magento platform. Do that by going to System > Configuration > Web and change your Unsecure Base URL to start with https, e.g. https://www.site_domain.com/. Then, under the Secure tab, set both Use Secure URLs in Frontend and Use Secure URLs in Admin to Yes, which forces https links in frontend and backend. Now, let’s take a look at some common issues that can arise once https is enabled site-wide, and provide solutions on how to resolve them.

Redirects

You might face an issue where all old HTTP site links (product, category, cms page, etc.)  are being redirected to the https homepage.

http://www.site_domain.com/page.html  redirects to →

https://www.site_domain.com/ which is not correct. It should redirect to →

https://www.site_domain.com/page.html

To prevent being redirected to the homepage, go to System > Configuration > Web section in admin and set Auto-redirect to Base URL in admin to No. However, disabling auto-redirect leads to another problem – both www and non-www variations of your site will be now available. This can be fixed with the redirect rule on your web server .htaccess file (apache server).

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.site_domain.com%{REQUEST_URI} [NE,L,R=301]

What this does is it forces both https and www for all incoming requests.

Mixed content

Another issue while switching to https is when static content on the site, such as images, CSS and javascript, is hardcoded to load over HTTP protocol. This will cause a mixed content / insecure page warning to appear on your browser. In order to fix this, you need to check every template, layout, static block, cms page, etc. and manually change all static content to load over https. You can also use relative URL-s or use functions that the Magento platform provides to fetch URL-s from the store base URL.

In Templates: Mage::getBaseUrl(); Cms Pages/Blocks: {{store url=””}}

Relative URL:  //www.site_domain.com/skin/frontend/rwd/default/images/media/logo.png

301 HTTP redirects

→ Once the site is set to use secure URLs, you need to deal with unsecured links. You will have to redirect your users and search engines to the HTTPS page with server-side 301 HTTP redirects.

HTTPS on CDN

Serving static content via CDN over HTTPS may result in additional expenses in case you have to purchase an additional SSL certificate(s) for your CDN subdomains. Your CDN provider may also charge you for installing the SSL certificate. There are some free options available which vary depending on the CDN provider, but none of them are ideal. This is something to keep in mind when adopting site-wide HTTPS.

Generate a new sitemap:

re-generate site URL-s with https now

GSC Property:

Create a new Google Search Console (GSC) property for the HTTPS version of the website.

Check Robots.txt file:

check if your links are updated to https

And with this, we’ll conclude today’s blog post. If you are a merchant who wants to implement HTTPS in your store, please contact us and we can help you convert to a full https Magento store. Securing your site is a big step towards attracting customers and boosting your sales.