Magebean Logo Magebean
← Back to Baseline

Why it Matters

HTTP sends data in clear text. On public networks, attackers can read or change traffic, stealing logins, sessions, or personal data. This breaks customer trust and can violate compliance.

Forcing HTTPS encrypts all requests and responses. It protects cookies, forms, and APIs from interception and tampering. When every page is HTTPS, security is consistent across the whole site, including the admin and checkout.

Verification Steps

Manual

# 1) HTTP should redirect to HTTPS with 301/308
curl -I http://yourstore.com
# Expect: HTTP/1.1 301/308 → Location: https://yourstore.com/

# 2) HTTPS should respond with 200 (valid certificate)
curl -I https://yourstore.com

# 3) Cookies should be marked Secure when set over HTTPS
# Check "Set-Cookie" headers (Secure; HttpOnly; SameSite)
curl -I https://yourstore.com | grep -i set-cookie

Remediation / Fix Guidance

  1. Install a valid TLS certificate (from a trusted CA) on the load balancer or web server.
  2. Redirect all HTTP to HTTPS at the edge: 
    # Nginx
server {
  listen 80;
  server_name yourstore.com www.yourstore.com;
  return 308 https://yourstore.com$request_uri;
}
    # Apache (virtual host on :80)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=308,L]
  3. Ensure application/base URLs are HTTPS (env/config), and purge caches/CDN after the change.
  4. Update any hard-coded asset or API URLs to https:// to avoid mixed content (see MB-R029).
  5. Set HSTS after confirming HTTPS is stable (see MB-R027) to enforce HTTPS on repeat visits.

Examples

Fail Example
# HTTP stays HTTP (no redirect)
$ curl -I http://yourstore.com
HTTP/1.1 200 OK
# Session cookies can leak over plaintext
Pass Example
# HTTP → HTTPS redirect + secure cookies
$ curl -I http://yourstore.com
HTTP/1.1 308 Permanent Redirect
Location: https://yourstore.com/

$ curl -I https://yourstore.com | grep -i set-cookie
Set-Cookie: PHPSESSID=...; Path=/; Secure; HttpOnly; SameSite=Lax

References