All third‑party integrations—including payment, shipping, email, and analytics—must use HTTPS with valid certificates. Plain HTTP exposes tokens and PII to interception or tampering. Validate endpoint schemes in configuration, enforce TLS at proxies, and block insecure URLs during deployment.
Magento stores handle sensitive customer data including credentials, session cookies, and payment information. If endpoints are served over plain HTTP, traffic can be intercepted or modified by attackers (Man-in-the-Middle). Enforcing HTTPS-only endpoints ensures confidentiality, integrity, and authenticity of communications.
Without HTTPS, even secure backend configurations cannot prevent credential theft, session hijacking, or injection attacks during transit.
# Attempt to access via HTTP
curl -I http://yourstore.com
# Expected: 301/302 redirect to https://yourstore.com# Check secure and unsecure URLs
bin/magento config:show web/unsecure/base_url
bin/magento config:show web/secure/base_url
# Expected:
web/unsecure/base_url = https://...
web/secure/base_url = https://...https://.# Nginx
server {
listen 80;
server_name yourstore.com;
return 301 https://$host$request_uri;
}# Apache
<VirtualHost *:80>
ServerName yourstore.com
Redirect permanent / https://yourstore.com/
</VirtualHost>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload$ curl -I http://mystore.com
HTTP/1.1 200 OK
# FAIL: Site still serves over HTTP$ curl -I http://mystore.com
HTTP/1.1 301 Moved Permanently
Location: https://mystore.com/
# PASS: All HTTP requests redirected to HTTPS