Our site, www.divestyle.co.uk uses an SSL certificate throughout the site, except when it goes to the online shop which is built in Magento, all on the same hosting. I built the main site which uses the SSL and the wordpress blog but for some reason the shop does not.
http://www.divestyle.co.uk/dive-shop/scuba-diving/regulators.html
You can see that the URL does not have the SSL padlock on.
Any ideas why not? We had some issues with the htaccess with the redirects which we fixed on another question, so I am adding the htaccess file on here too in case we need to add something to it. We obviously want to make sure that changing the URL to https will not affect any of the sales we can receive.
# -- concrete5 urls start --
# -- Force www: #
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# force https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.divestyle.co.uk/$1 [R,L]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# -- WordPress #
RewriteRule ^divestyle_blog/index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule divestyle_blog/. divestyle_blog/index.php [L]
# -- /Wordpress #
# --Magento #
RewriteRule ^dive-shop/index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule dive-shop/. dive-shop/index.php [L]
# -- /Magento #
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
# -- concrete5 urls end --
——- UPDATE ——-
I have changed my .htaccess file so the 2nd one matches this, RewriteRule ^(.*)$ but the site is still coming as insecure. See the screenshots. It mentions about the images.
https://www.dropbox.com/s/3w6sfnjn8pgcxg8/Screenshot%202017-12-13%2007.38.04.png?dl=0
https://www.dropbox.com/s/zw8ujcg2wj9arpp/Screenshot%202017-12-13%2007.37.58.png?dl=0
When I asked the developer about the issues, he sent me this, not sure if this helps get to the bottom of this:
The ‘httponly’ option has been created like this on purpose. There is a type of website attack called XSS.
If someone managed to inject some javascript code onto your site (which on some sites can be via adverts) then they would be able to read the contents of any cookies. If the cookie contained a session id for a logged in user they would be able to read that and send it back out to someone and they would be able to log in as that user without requiring their username and password. A ‘httponly’ option tells the browser that the cookie should only be sent over http (which includes https in this definition) and not made available to javascript or anything else running within the local browser.”
2
Answers
This is probably guilty because of a bad syntax :
RewriteRule ^/?(.*) https://www.divestyle.co.uk/$1 [R,L]
You should match ^/(.*)$ as on the first rule
Forcing https is like magic. I had to try multiple solutions from the internet, that people claimed to work, and they didn’t on my server.
Here is my snippet, that works 😉
Try it instead of your rule under
# force https
comment.