Requests | Blesta

Requests

Default to Forcing HTTPS in .htaccess

L Too shared this idea 2 weeks ago
Under Consideration

As recently as version 5.4, Blesta's .htaccess file has the lines to force HTTPS commented out.

This is more a suggestion than a feature request, but it seems to me it would be best to default to forcing HTTPS so that users who install Blesta without an SSL certificate are alerted to the fact that the installation is unprotected by SSL and so that existing users who upgrade don't unwittingly revert to allowing HTTP if they forget and overwrite their modified .htaccess file.

Comments (4)

photo
1

As much as I agree, not many people have an SSL enabled when installing Blesta, therefore it would break their installations and create more tickets for support.

I would say, maybe on installation have an option to enable SSL.

photo
1

Interesting. I always enable SSL before I install any software on a site.

My concern, and the reason for submitting this request, is that updates done according to the instructions in the Blesta docs overwrite the existing .htaccess and disables forced HTTPS.

Maybe just a caution in the upgrade instructions about it?

photo
1

It might be possible for us to simply detect whether Blesta is being installed via HTTPS, and if so, update the .htaccess file (if it's writable) to force it. There are a lot of people that install without SSL enabled, particularly for trials or when just starting to configure things, so we cannot unfortunately default always to forcing it.

photo
1

That's a good thought. It would run with the script from the "upgrade" URL after uploading the files for an upgrade as well as on install?

It's too bad there's not a conditional you could put in .htaccess to determine if there's a valid SSL certificate available and only force HTTPS if so; if there is such a thing, I am not aware of it.