How can I prevent access to PHP files if the caller isn't using HTTPS?

2018-06-10 13:23:18

I have written several PHP web services where I pass in arguments via the URL. To prevent unauthorized access, I pass in a unique key as one of the arguments. I call the PHP file via HTTPS, and I am wondering if there's a way I can prevent the script from running if HTTPS is not used.

稍微偏离主题，但如果您使用的是Apache Httpd和mod_ssl ，则可以通过将SSLRequireSSL指令放置在.htaccess或Directory配置中来强制SSL访问文件（和PHP脚本）。

if(empty($_SERVER['HTTPS'])) {
    // ....
    exit;
}

To clarify: You want that a client doesn't call a url containing a secret token over a non-encrypted connection, is that right? If so, then the problem is mainly not with you, but with the browser of the client. You may redirect the client to a secure connection if he isn't using one yet, but even if you do so the client already made an insecure, interceptable request to your server, before he get's redirected!

Mozilla is making an effort to solve this problem. As of Firefox 4 a server may send a Strict-Transport-Security header which will prevent an unencrypted access subsequently (though obviously before the header was sent an unencrypted access could still happen.)