Adds support to your CFWheels application for forcing a user's connection to HTTPS if they're loading only the HTTP version of a URL.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

CFWheels Force HTTPS Plugin

Adds support for forcing a user's connection to HTTPS if they're loading only the HTTP version of a given URL.


Call the supplied forceHttps() initializer method from your controller's init() method.


forceHttps( [ string environments, string only, string except ] )
Name Type Required Default Description
environment string No [empty string] List of environments in which to force the HTTPS connection. This is useful if you do not have SSL configured in your design and development environments, for example. This argument is aliased as environment if you want to use it for readability when specifying only one environment.
only string No [empty string] Similar to the only argument for filters(), this allows you to specify a list of actions to only run the forced HTTPS on.
except string No [empty string] Similar to the except argument for filters(), this allows you to specify a list of actions to exclude the forced HTTPS from running on.

Note: This plugin stores configuration information for each controller in the application scope. If you change the environments argument in your call to forceHttps(), you'll need to reload your CFWheels application to see the changes take place.


Example 1: Entire app should always be loaded via HTTPS

In controllers/Controller.cfc, add this call:

<cfcomponent extends="Wheels">

    <cffunction name="init">
        <cfset forceHttps()>


Now all other controller files that extend Controller will force an HTTPS connection on the client.

Example 2: Only force HTTPS in maintenance and production environments

If we wanted HTTPS only to be enforced in our maintenance and production environments, we can use the environments argument like so:

<cfset forceHttps(environments="maintenance,production")>

Example 3: Excluding the forced HTTPS from a given action

Let's say that we want for our index action in a given controller to not force HTTPS:

<cfset forceHttps(except="index", environments="maintenance,production")>

Or perhaps we only want HTTPS to be forced on our create and update actions:

<cfset forceHttps(only="create,update", environments="maintenance,production")>

Using inheritance to force HTTPS on every action unless requested otherwise from a child controller

You can add arguments to the init() method in your controller to allow for exceptions for your forced HTTP connection.

The file at controllers/Controller.cfc would look something like this:

<cfcomponent extends="Wheels">

    <cffunction name="init">
        <cfargument name="forceHttpsExcept" type="string" required="false" default="">
        <cfargument name="forceHttpsOnly" type="string" required="false" default="">

        <cfset forceHttps(except=arguments.forceHttpsExcept, only=arguments.forceHttpsOnly, environments="maintenance,production")>


Then let's say, for example, that we want for the index action in our main controller to not force HTTPS. The main controller would take advantage of these extra arguments when calling its parent contructor:

<cfcomponent extends="Controller">

    <cffunction name="init">
        <cfset super.init(forceHttpsExcept="index")>


That way other controllers can also extend the parent constructor without having the same constraints as the main controller.

Here's an example users controller that wouldn't pass on any exceptions:

<cfcomponent extends="Controller">

    <cffunction name="init">
        <cfset super.init()>



This plugin was created by Chris Peters with support from Liquifusion Studios.