CODEWITHSUNDEEP
phpsecuritycakephpsslcakephp-2.4
Dave
Dave

Reputation: 29121

Security Component giving 'secure' blackhole error, while on https

Just moved servers, and existing code is now showing a strange issue.

The point of the code is to catch a 'secure' blackhole error, and redirect it to the secure version of that page. It was doing it on the old server, but is now acting strange.

// App Controller

public function beforeFilter() {
    $this->Security->blackHoleCallback = 'blackhole';
}

public function blackhole($type) {
    switch($type) {
        case 'secure':
            debug(Router::url($this->here, true));
            exit;
            $this->redirect('https://' . env('SERVER_NAME') . $this->here);
            break;
    }
}

The debug shows: `http://www.example.com/'

But my browser shows 'https://www.example.com/' (notice the S)

Upvotes: 0

Views: 572

Answers (3)

ircmaxell
ircmaxell

Reputation: 165201

The better answer is to not use this functionality at all.

You shouldn't be redirecting to HTTPS in your code. You should be using Strict-Transport-Security. This still involves a redirect, but it also involves setting an additional header.

You can use the features of mod_ssl:

SSLOptions +StrictRequire
SSLRequireSSL

Note that the SSLRequireSSL directive will deny all requests that do not have SSL enabled.

And a normal redirect:

RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Which basically rewrites the request to use HTTPS as a 403 redirect.

You also want to set the Strict-Transport-Security header:

Header set Strict-Transport-Security "max-age=8640000;includeSubdomains"

And done. No need to work with Cake. Handle it at the server level, since that's the server level. Which means no bad requests can even get in...

Upvotes: 2

FMQB
FMQB

Reputation: 673

public function beforeFilter() {
  $this->Security->blackHoleCallback = 'blackhole';
  $this->Security->requireSecure();
}

Upvotes: -1

Dave
Dave

Reputation: 29121

I found the answer here in a similar question here: How can I securely detect SSL in CakePHP behind an nginx reverse proxy?

Add a request detector:

//AppController::beforeFilter
public function beforeFilter() {
    $this->request->addDetector('ssl', array(
        'env' => 'HTTP_X_FORWARDED_PROTO',
        'value' => 'https'
    ));
}

My app now correctly detects HTTPS as such.

Upvotes: 0

Related Questions