Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

 
Reply
   X-Cart forums > General > General talk
 
Thread Tools
  #1  
Old 05-07-2015, 10:21 PM
  Ksenia's Avatar 
Ksenia Ksenia is offline
 

X-Cart team
  
Join Date: Apr 2013
Posts: 735
 

Default HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

Look what I found:
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

On the other hand, according to Sitepoint, Firefox is used by ~16% of users only, far not so popular as Chrome and IE ( iE?!!! don't people use it just to download Chrome/FF?), and these changes are hardly going to be fast, but let's keep an eye on it and see what the other browsers will do.
__________________
X-Cart team
Reply With Quote

The following 3 users thank Ksenia for this useful post:
elmirage001 (05-08-2015), ITVV (05-07-2015), totaltec (05-08-2015)
  #2  
Old 05-08-2015, 02:15 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

Thanks Ksenia. Okay, it's time to go full https. I have been resisting this, but with such a powerful industry leader going this way I think it is time.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote
  #3  
Old 05-08-2015, 10:39 AM
 
elmirage001 elmirage001 is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,676
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

We had a good discussion on moving from http to https on the mobile friendly post I had made so I moved the relevant posts here.

Conor bigredseo post: http://forum.x-cart.com/showpost.php?p=384020&postcount=9
Code:
There is no downside to moving to HTTPS (other than potential speed issues which you can resolve with the hosting company). From an SEO side of things, we haven't really seen that much of an advantage, but that doesn't mean we won't in the near future. With regards to best practices, there's a few things I'd advise in the process; 1) Change your .htaccess to redirect to the HTTPS mode of things 2) Change your canonical URLs to make sure they have HTTPS in them (most people forget this step) 3) Generate a *NEW* site at Google Webmaster Tools. We recommend not removing the HTTP version - this way you can track and resolve any errors. Don't forget to submit the new sitemap! 4) Don't forget about Bing - make those updates there too 5) Final step is all your SEO places (Google, Facebook, Twitter, Yelp) - make sure to remember to update the URLs with them to HTTPS links Google isn't penalizing anyone who had HTTP as the link to their site, so you don't need to contact places and ask them to use HTTPS, but for any new links, they'll all start using the https method and you'll be golden. The process of moving over is really quite easy. The only other "gotcha" to watch out for if you are using a CDN is to make sure they accept the HTTPS, or if you have to upgrade your plan with them to use it. Between the move to HTTPS and the move to Mobile - this is becoming quite an exciting time for people. I still haven't seen if Google is treating the addition of the Mobile-Ready website as being a bonus or a penalty when it comes to SEO. Time will tell on that part.


Phil PhilJ http://forum.x-cart.com/showpost.php?p=384118&postcount=12
Code:
We've moved to HTTPS without much fuss, in fact Google picked up on the homepage almost immediately. To redirect to HTTPS, add to .htaccess (before any URL re-writing rules) Code: RewriteCond %{SERVER_PORT} !^443 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] For the XML sitemap generator module, edit modules/XML_Sitemap/func.php and replace all 5 instances of $http_location with $https_location If you use a CDN, there's an alternative - https://www.keycdn.com - which doesn't charge extra for HTTPS.


Steve cflsystems post: http://forum.x-cart.com/showpost.php?p=384126&postcount=13
Code:
Quote: Originally Posted by PhilJ For the XML sitemap generator module, edit modules/XML_Sitemap/func.php and replace all 5 instances of $http_location with $https_location Alternatively instead in init.php find $http_location = 'http://' .... $https_location = 'https://' ...... and below add $http_location = $https_location; Or change the 'http://' above to 'https://' Or take both out leaving the '//' only....


Conor bigredseo post: http://forum.x-cart.com/showpost.php?p=384184&postcount=18
Code:
Taking the example from post #12, you can add the following; Code: RewriteCond %{HTTP_HOST} !^subdomain\.domain\.com RewriteCond %{SERVER_PORT} !^443 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] Basically, this is saying "rewrite on the conditition" that the url "is not" subdomain.domain.com The "!^subdomain" is the "is not subdomain" part. Give that a shot and you should be set.


Jon post: http://forum.x-cart.com/showpost.php?p=384946&postcount=32
Code:
Good list, just a couple things to add: 1) If you have a disavow file for http, make sure you add it for https also. 2) Submit your sitemap as HTTPS in Google Webmasters (and of course put HTTPS urls in your sitemap)


Jon post: http://forum.x-cart.com/showpost.php?p=384972&postcount=33
Code:
For CDSEO users, here's a tutorial on how to configure the SEO settings for HTTPS: How can I force my site to use HTTPS with CDSEO?
__________________
X-Cart GoldPlus v4.7.12 | reBOOT | Live
X-Cart GoldPlus v4.7.12 | reBOOT (reDUX) | Dev
  • XCARTMODS.CO.UK | reBOOT | reBOOT (reDUX) |
  • Total Server Solutions Hosting | Linux | PHP v7.2.30 | MySQL v5.6.47 |
Reply With Quote

The following 2 users thank elmirage001 for this useful post:
ITVV (05-08-2015), Ksenia (05-17-2015)
  #4  
Old 05-16-2015, 12:01 PM
 
elmirage001 elmirage001 is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,676
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

I'd like to thank in alphabetical order Conor, Jon, Phil, and Steve for all their input on moving from HTTP to HTTPS. Using the information they provided above I painlessly moved to HTTPS this morning and have had zero issues.

For anyone using reBOOT please contact Phil about the RSS and Advanced Testimonials files you'll need for HTTPS.

I was always a little concerned about HTTPS slowing down my site but I'm not seeing any slowdown with the combination of reBOOT and Total Server Solutions. <-- Thank you Phil and TSS !!

https_reboot_tss.jpg

Paul
__________________
X-Cart GoldPlus v4.7.12 | reBOOT | Live
X-Cart GoldPlus v4.7.12 | reBOOT (reDUX) | Dev
  • XCARTMODS.CO.UK | reBOOT | reBOOT (reDUX) |
  • Total Server Solutions Hosting | Linux | PHP v7.2.30 | MySQL v5.6.47 |
Reply With Quote

The following 2 users thank elmirage001 for this useful post:
PhilJ (05-16-2015), totaltec (05-17-2015)
  #5  
Old 05-23-2015, 08:47 AM
 
elmirage001 elmirage001 is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,676
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

It's been a week and all's good.

I did need to do a couple of things for Google.

1. Google Webmaster Tools -> Add the https versions of the site (www and non-www)
2. Google Analytics -> Under "Property Settings" change default URL to HTTPS
__________________
X-Cart GoldPlus v4.7.12 | reBOOT | Live
X-Cart GoldPlus v4.7.12 | reBOOT (reDUX) | Dev
  • XCARTMODS.CO.UK | reBOOT | reBOOT (reDUX) |
  • Total Server Solutions Hosting | Linux | PHP v7.2.30 | MySQL v5.6.47 |
Reply With Quote
  #6  
Old 07-30-2015, 07:21 AM
 
CS_ CS_ is offline
    
Join Date: Jul 2015
Posts: 3
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

Quote:
Originally Posted by elmirage001
We had a good discussion on moving from http to https on the mobile friendly post I had made so I moved the relevant posts here.

Conor bigredseo post: http://forum.x-cart.com/showpost.php?p=384020&postcount=9
Code:
There is no downside to moving to HTTPS (other than potential speed issues which you can resolve with the hosting company). From an SEO side of things, we haven't really seen that much of an advantage, but that doesn't mean we won't in the near future. With regards to best practices, there's a few things I'd advise in the process; 1) Change your .htaccess to redirect to the HTTPS mode of things 2) Change your canonical URLs to make sure they have HTTPS in them (most people forget this step) 3) Generate a *NEW* site at Google Webmaster Tools. We recommend not removing the HTTP version - this way you can track and resolve any errors. Don't forget to submit the new sitemap! 4) Don't forget about Bing - make those updates there too 5) Final step is all your SEO places (Google, Facebook, Twitter, Yelp) - make sure to remember to update the URLs with them to HTTPS links Google isn't penalizing anyone who had HTTP as the link to their site, so you don't need to contact places and ask them to use HTTPS, but for any new links, they'll all start using the https method and you'll be golden. The process of moving over is really quite easy. The only other "gotcha" to watch out for if you are using a CDN is to make sure they accept the HTTPS, or if you have to upgrade your plan with them to use it. Between the move to HTTPS and the move to Mobile - this is becoming quite an exciting time for people. I still haven't seen if Google is treating the addition of the Mobile-Ready website as being a bonus or a penalty when it comes to SEO. Time will tell on that part.


Phil PhilJ http://forum.x-cart.com/showpost.php?p=384118&postcount=12
Code:
We've moved to HTTPS without much fuss, in fact Google picked up on the homepage almost immediately. To redirect to HTTPS, add to .htaccess (before any URL re-writing rules) Code: RewriteCond %{SERVER_PORT} !^443 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] For the XML sitemap generator module, edit modules/XML_Sitemap/func.php and replace all 5 instances of $http_location with $https_location If you use a CDN, there's an alternative - https://www.keycdn.com - which doesn't charge extra for HTTPS.


Steve cflsystems post: http://forum.x-cart.com/showpost.php?p=384126&postcount=13
Code:
Quote: Originally Posted by PhilJ For the XML sitemap generator module, edit modules/XML_Sitemap/func.php and replace all 5 instances of $http_location with $https_location Alternatively instead in init.php find $http_location = 'http://' .... $https_location = 'https://' ...... and below add $http_location = $https_location; Or change the 'http://' above to 'https://' Or take both out leaving the '//' only....


Conor bigredseo post: http://forum.x-cart.com/showpost.php?p=384184&postcount=18
Code:
Taking the example from post #12, you can add the following; Code: RewriteCond %{HTTP_HOST} !^subdomain\.domain\.com RewriteCond %{SERVER_PORT} !^443 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] Basically, this is saying "rewrite on the conditition" that the url "is not" subdomain.domain.com The "!^subdomain" is the "is not subdomain" part. Give that a shot and you should be set.


Jon post: http://forum.x-cart.com/showpost.php?p=384946&postcount=32
Code:
Good list, just a couple things to add: 1) If you have a disavow file for http, make sure you add it for https also. 2) Submit your sitemap as HTTPS in Google Webmasters (and of course put HTTPS urls in your sitemap)


Jon post: http://forum.x-cart.com/showpost.php?p=384972&postcount=33
Code:
For CDSEO users, here's a tutorial on how to configure the SEO settings for HTTPS: How can I force my site to use HTTPS with CDSEO?


We are currently using version 4.2.3 so the feature in the backend (Security Settings) isnt currently available in this version.

We don't need the HTTPS: version of the website and we're looking at redirecting the entire HTTPS: to HTTP... can anyone help with this?
__________________
Version: 4.2.3
Add ons:
X-Affiliate
X-RMA
X-SpecialOffer
X-survey
Reply With Quote
  #7  
Old 07-30-2015, 07:26 AM
 
CS_ CS_ is offline
    
Join Date: Jul 2015
Posts: 3
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

We are using version: 4.2.3 of X-Cart and are looking at redirecting the entire HTTPS to HTTP because its not needed.

Because the feature in the Security Settings isn't available in this version (and we cannot update it) can anyone point me in the right direction of actioning this in the .htaccess file??


Thank you.

Sophie
__________________
Version: 4.2.3
Add ons:
X-Affiliate
X-RMA
X-SpecialOffer
X-survey
Reply With Quote
  #8  
Old 02-22-2017, 10:24 PM
  bullfrog's Avatar 
bullfrog bullfrog is offline
 

eXpert
  
Join Date: Oct 2004
Location: Oregon, USA
Posts: 366
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

I have not been able to get redirects to work. I use a non-shared SSL cert and get normal orders in a HTTP/HTTPS system.

I am using CleanURLs and it is working properly, but every variant I try of an HTTPS redirect results in (on Chrome) "Err_too_many_redirects" on my site.

My .htaccess BEFORE adding the new redirect is:
DirectoryIndex home.php index.php index.html index.htm

# If you would like X-Cart to show informative message for errors caused
# by opening of missing/deleted files (HTTP Error 404), please uncomment
# the line below.
# ErrorDocument 404 /404.php

# NOTE: If you installed X-Cart into a subfolder (for example, to /store folder, so
# it is available at http://www.example.com/store/home.php), you need to specify
# full relative path to the 404.php script, for example, as follows:
# ErrorDocument 404 /store/404.php

# Show default error document for 404 errors caused by opening of image/media files.
<Files ~ "\.(gif|jpe?g|png|js|css|swf|ico)$">
ErrorDocument 404 default
</Files>

ErrorDocument 401 default

#<Files ~ "\.(tgz|rar|zip|sql)$">
# Order Deny,Allow
# Deny from all
#</Files>

# Clean URLs [[[
Options +FollowSymLinks -MultiViews -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/(payment|admin|provider|partner)/
RewriteCond %{REQUEST_FILENAME} !\.(gif|jpe?g|png|js|css|swf|php|ico)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.*)$ dispatcher.php [L]
</IfModule>
# /Clean URLs ]]]

<Files 403.shtml>
order allow,deny
allow from all
</Files>


I have tried inserting the follow just before the Clean URLs section. Each example was preceded by 'RewriteEngine On'.

Based on the example in this forum.
RewriteCond %{SERVER_PORT} !^443
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Based on an example in Hostgator support.
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Based on two examples at AskApache.com
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

-- and --
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]


Any suggestions on what I try next?

EDIT: redirects work on a dev site on another server. See post 10.
__________________
Bullfrog ~~~ X-Cart Gold v4.7.2 (2) v4.7.8. ⌠If the road is easy, you're likely going the wrong way.■ ― Terry Goodkind
Reply With Quote
  #9  
Old 02-22-2017, 11:11 PM
 
ITVV ITVV is online now
 

X-Adept
  
Join Date: Nov 2006
Location: UK
Posts: 952
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

Hi,

Try this: -

Code:
RewriteCond %{SERVER_PORT} !^443 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Hope that helps?

Kind regards

ITVV
__________________
X-Cart Pro 4.6.6 Active and working great!
X-Cart Pro 4.1.7 Retired after 9 years of first class service

Server: CloudLinux (LiteSpeed)
Apache: 2.4.27
PHP: 7.0.21
MySQL: 10.0.31-MariaDB-cll-lve
Arch: x86_64
Reply With Quote
  #10  
Old 02-24-2017, 09:59 PM
  bullfrog's Avatar 
bullfrog bullfrog is offline
 

eXpert
  
Join Date: Oct 2004
Location: Oregon, USA
Posts: 366
 

Default Re: HTTPS vs HTTP: Mozilla Deprecating Non-Secure HTTP?

Your suggestion was the first code I tried of 4 variations. Did not work. I am still not sure what the problem is.

It could be server/system related. My 4.7.2 stores are on an older VPS server using Centos 5.11, Php 5.3.28, Apache 2.2.6. I have another VPS server that is Centos 6.8, Php 5.6.28, Apache 2.2.29 and it has an X-Cart 4.7.6 dev site.

Adding the code to .htaccess on the newer server dev site got it to work right away, including clean URLs as well. Anyone know why this is happening?
__________________
Bullfrog ~~~ X-Cart Gold v4.7.2 (2) v4.7.8. ⌠If the road is easy, you're likely going the wrong way.■ ― Terry Goodkind
Reply With Quote
Reply
   X-Cart forums > General > General talk


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:02 PM.

   

 
X-Cart forums © 2001-2020