Magebean Logo Magebean
← Back to Baseline

Why it Matters

Magento stores handle sensitive customer data including credentials, session cookies, and payment information. If endpoints are served over plain HTTP, traffic can be intercepted or modified by attackers (Man-in-the-Middle). Enforcing HTTPS-only endpoints ensures confidentiality, integrity, and authenticity of communications.

Without HTTPS, even secure backend configurations cannot prevent credential theft, session hijacking, or injection attacks during transit.

Verification Steps

Browser / curl test

# Attempt to access via HTTP
curl -I http://yourstore.com
# Expected: 301/302 redirect to https://yourstore.com

Magento base URL configuration

# Check secure and unsecure URLs
bin/magento config:show web/unsecure/base_url
bin/magento config:show web/secure/base_url

# Expected:
web/unsecure/base_url = https://...
web/secure/base_url   = https://...

Remediation / Fix Guidance

  1. Set both secure and unsecure base URLs in Magento to https://.
  2. Configure web server (Nginx/Apache) to force HTTPS: 
    # Nginx
server {
    listen 80;
    server_name yourstore.com;
    return 301 https://$host$request_uri;
}
    # Apache
<VirtualHost *:80>
    ServerName yourstore.com
    Redirect permanent / https://yourstore.com/
</VirtualHost>
  3. Ensure TLS certificates are valid and auto-renewed (e.g., Let’s Encrypt).
  4. Enable HSTS (HTTP Strict Transport Security) to enforce HTTPS at the browser level: 
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Examples

Fail Example
$ curl -I http://mystore.com
HTTP/1.1 200 OK
# FAIL: Site still serves over HTTP
Pass Example
$ curl -I http://mystore.com
HTTP/1.1 301 Moved Permanently
Location: https://mystore.com/
# PASS: All HTTP requests redirected to HTTPS

References