Issue
I have a server at https://writeapp.me which only allows SSL connections. It is on the Chrome and Firefox HSTS lists, uses the HSTS header, and includes a rewrite rule to redirect any HTTP requests to HTTPS.
This setup works great for casual users using a web browser but now I'm developing an API and I need any non-HTTPS requests to one path to be rejected and not redirected.
The api will live at https://writeapp.me/api/. I want all HTTP requests containing /api to return a 400 Bad Requests or a 403 Forbidden (not sure which status makes most sense yet) while all other plain HTTP requests can continue to be redirected to their HTTPS counterparts.
The plan is to include these rules in the vhost config, not an htaccess file. /api isn't an actual directory, it's just a route provided by a framework so .htaccess files inside of /api won't work. (not that it matters, I guess. I'm just being extra detailed here).
Solution
You can use SSLRequireSSL in your directory configuration.
Something like this:
<Location /api>
SSLRequireSSL
</Location>
Of course, you'll need this to be placed in the right location (depending on the rest of your configuration), so that it takes precedence over potential rewrite/redirects.
Answered By - Bruno Answer Checked By - Pedro (PHPFixing Volunteer)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.