Manual:$wgForceHTTPS

Other languages:
Deutsch • ‎English • ‎Nederlands • ‎français • ‎日本語
Site customization: $wgForceHTTPS
Redirect insecure HTTP requests to HTTPS.
Introduced in version:1.34.3 (Gerrit change 608504; git #c75eef91)
Removed in version:still in use
Allowed values:(boolean)
Default value:false (gerrit:608504, gerrit:612497, gerrit:615840)

DetailsEdit

If this setting true, when an insecure HTTP request is received, always redirect to HTTPS. This overrides and disables the preferhttps user preference, and it overrides $wgSecureLogin and the CanIPUseHTTPS hook.

$wgServer may be either https or protocol-relative. If $wgServer starts with "http://", an exception will be thrown.

If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header "X-Forwarded-Proto: https" should be sent to suppress the redirect.

In addition to setting this to true, for optimal security, the webserver should also be configured to send Strict-Transport-Security response headers.

AdditionEdit

This variable was added in MediaWiki 1.35.0 (gerrit:608504).

It was backported to 1.34 as part of the MediaWiki 1.34.3 release (gerrit:612497).

It was also backported to 1.31 as part of the MediaWiki 1.31.9 release (gerrit:615840).