How to Add SSL to Your Drupal Site

Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution.

No modules, just update your .htaccess file

The simplest and easiest way to add HTTPS to your entire website is by editing you site’s .htaccess file. No modules, no overhead, just a few lines of code and you’re all set.

You can add the following below “RewriteEngine on”. I usually put it below the chunk that starts with “# To redirect all users to access the site WITH the 'www.' Prefix”. Note, if you have any prefix rules enabled already, you’ll want to comment those out first since the new code below with include a prefix.

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The code above adds HTTPS if it’s not already present and it will also add “www” as well if it’s not already there.

Why full site HTTPS is the new way to go

As Google says, security is a top priority. Your site should probably adopt the same mantra. 21st century people are getting very sensitive to how their information is being shared and collected. Additionally with all the recent security breaches, people want to feel more secure.

The old argument for not using full site HTTPS was that it can slow down a site due to it having to constantly encrypt the information being passed between server and browser. But that was when servers were a lot slower and the normal internet connection was through a 56K dial-up modem. In today’s world, it’s difficult to detect any latency at all when comparing SSL and non-SSL versions of a site.

Another benefit for full site SSL is SEO. According to Google, it’s giving ranking boosts to sites using SSL/HTTPS websites. While this boost may only be minor, I’ll take any boost I can get.

HTTPS using Drupal Modules

It’s somewhat common in ecommerce or private sections of a website to switch between HTTP to HTTPS. Drupal offers a few modules for accomplishing that.

Secure Pages

In Drupal 6, Secure Pages was my go-to SSL module. It has over 26K reported installs. If offers a simple user interface for defining your secure and non-secure paths.

Drupal Secure Pages

In Drupal 7, it’s a bit of a work in progress and doesn’t work reliably without a few core patches. It is possible to get it working, just be prepared to spend some time testing to make sure it switches properly from HTTPS to HTTP and vise versa. Since it does require a Drupal core patch, you need to remember to reapply these patches every time update Drupal core.

Other Drupal SSL modules

There are some other SSL modules that I’ll quickly mention:

Custom SSL Redirect 
Has a bit of similarity with Secure Pages, but it only lets you define the secure and non-secure paths. Be careful when installing. If you don’t have SSL on your server yet, it will automatically try to redirect to an HTTPS version and continually error out - locked me out of my site so I had to disable is via drush.

Custom SSL Redirect

Ubercart SSL
The Ubercart SSL module is for securing all of Ubercart’s shopping cart paths

Secure Login
The Secure Login module enables HTTPS primarily for the user login form, but can be configured to securce any form within the site.

Problems with switching between HTTPS and HTTP

Some problems I’ve seen with Ubercart and Drupal Commerce is that switching between HTTPS and HTTP paths can potentially lose checkout sessions, meaning that the user’s shopping cart appears empty after the site switches to HTTPS. This can be very frustrating and usually due to a configuration issue somewhere, but it can be easily solved by using full site SSL.

Conclusion

Overall, achieving full site HTTPS using the code above is very easy and it appears to only add benefits to your site’s securityyour users’ securityyour site's speed (one less module installed) and your SEO.

error: Content is protected !!