Příručka:HTTPS

• Set $wgForceHTTPS to true; this will redirect all HTTP requests to HTTPS, and set the secure flag on all cookies.
• If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect. You might also need to set $wgInternalServer , for the benefit of extensions which cause MediaWiki make web requests to itself.
• Let's Encrypt can provide for free the certificates needed for setting up your site to serve HTTPS
• Consider enabling strict transport security in your web server, to prevent browsers from being tricked into visiting the site over HTTP and falling victim to phishing attacks.
• Configuring HTTPS protocol details can be tricky; there are a number of automated audits such as Qualys. SSL Labs' test that can analyse your website and give you advice.

A mixed-protocol wiki can be accessed via both HTTP and HTTPS. This is inherently insecure, as HTTP connections can be monitored by third parties, who track what your users do, or steal authentication cookies and temporarily take over user accounts. You will need to set $wgServer to a protocol-relative URL and set $wgCanonicalServer to an absolute URL (up to you whether it is the HTTP or HTTPS one).

• If you enable $wgSecureLogin , MediaWiki will do its best in this scenario to protect passwords, at least, by forcing users to HTTPS for the duration of their login. Users will be able to set in their preferences (prefershttps user preference) and during login that they prefer HTTPS, in which case they get automatically redirected as if $wgForceHTTPS were enabled.
• If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect.

This requires no extra configuration, but is strongly recommended against as it is even more insecure than a mixed-protocol wiki.

• $wgCookieSecure - for forcing cookies to be HTTPS-only. There shouldn't be any need to change the default value.
• $wgVaryOnXFP - for setting the appropriate Vary header; might be needed for proxies/CDNs.
• CanIPUseHTTPS (zastaralé od 1.35) - for forcing HTTP for certain IP ranges (intended for traffic from countries where HTTPS communication is blocked).
• UserRequiresHTTPS (zastaralé od 1.35) - for forcing HTTPS for certain users.
• BeforeHttpsRedirect (zastaralé od 1.35) - called before redirecting from HTTP to HTTPS, can alter or prevent the redirect.
• $wgHttpsPort - for using a non-standard HTTP port.
• HTTPS-specific features of MediaWiki can be tested in MediaWiki-Vagrant by enabling the https role.
• For information about the HTTPS-related configuration of Wikimedia websites, see the HTTPS page on Wikitech.