|Server URLs and file paths: $wgForceHTTPS|
|Redirect insecure HTTP requests to HTTPS.
|Introduced in version:||1.34.3 (Gerrit change 608504; git #c75eef91)|
|Removed in version:||still in use|
|Other settings: Alphabetical | By function|
If this setting is true, when an insecure HTTP request is received, always redirect to HTTPS. This overrides and disables the preferhttps user preference, and it overrides $wgSecureLogin and the CanIPUseHTTPS hook.
If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header "
X-Forwarded-Proto: https" should be sent to suppress the redirect.
In addition to setting this to
true, for optimal security, the webserver should also be configured to send HTTP Strict Transport Security (HSTS) response headers.
$wgForceHTTPS is set to
false, HTTP/HTTPS preference is tracked on a per-user basis, by a combination of:
- the cookie
forceHTTPSand session metadata (available via
- eventual PHP hooks changing session metadata (Manual:Hooks/SessionMetadata)
- the PHP method
This variable was added in MediaWiki 1.35.0 (gerrit:608504). It was backported to 1.34 as part of the MediaWiki 1.34.3 release (gerrit:612497) as well as to 1.31 as part of the MediaWiki 1.31.9 release (gerrit:615840).