Moving to HTTPS

Question

Is there any way to move the Q2A login to HTTPS? Moving the entire site is another options as it does allow private messages also to be encrypted. I have handled all plugins to be HTTPS safe but images are an issue. I can change the URL of images from http:// to // to be protocol free -- is this the right way to do? If so, why does not the ckeditor does this by default?

Answer 1

There's no option for this within Q2A. If you want only the login to be https, you could set this up at the server level or htaccess (i.e. redirect the login/register pages to https, redirect everything else on https back to http).

But the best option is to move everything to https. If it's insecure to send password details over http then it's also insecure to send your cookies over http too, once you are already logged in.

Images can be a problem but currently all browsers will load http images on a https page. If all images are 'local' (i.e. on your site) then you can rewrite them all to https://

It's more difficult for external images because you don't know whether the external server supports https. On my site I set up a "proxy" PHP script that fetches the image over http, but the URL is a https one on my site. I may release this as a plugin in the future if people are interested.

Comments

Thank you Scott. That was very useful. I'll share the details once done- guess most people will need it in coming days.

---

Please share the htaccess needed for everything to work. I did some tests and it is not working as expected.

---

Moving everything to https created issues for me. Some of the lugins like custom google search no longer work. As well images are not shown properly.

---

I will continue the discussion here:http://www.question2answer.org/qa/55911/nonsecure-collection-of-passwords-will-trigger-warnings