Skip to content

Files

Latest commit

 

History

History
92 lines (69 loc) · 3.41 KB

force_https.rst

File metadata and controls

92 lines (69 loc) · 3.41 KB

How to Force HTTPS or HTTP for different URLs

Tip

The best policy is to force https on all URLs, which can be done via your web server configuration or access_control.

You can force areas of your site to use the HTTPS protocol in the security config. This is done through the access_control rules using the requires_channel option. To enforce HTTPS on all URLs, add the requires_channel config to every access control:

.. configuration-block::

        .. code-block:: yaml

            # config/packages/security.yaml
            security:
                # ...

                access_control:
                    - { path: '^/secure', roles: ROLE_ADMIN, requires_channel: https }
                    - { path: '^/login', roles: PUBLIC_ACCESS, requires_channel: https }
                    # catch all other URLs
                    - { path: '^/', roles: PUBLIC_ACCESS, requires_channel: https }

        .. code-block:: xml

            <!-- config/packages/security.xml -->
            <?xml version="1.0" encoding="UTF-8" ?>
            <srv:container xmlns="http://symfony.com/schema/dic/security"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:srv="http://symfony.com/schema/dic/services"
                xsi:schemaLocation="http://symfony.com/schema/dic/services
                    https://symfony.com/schema/dic/services/services-1.0.xsd
                    http://symfony.com/schema/dic/security
                    https://symfony.com/schema/dic/security/security-1.0.xsd">

                <config>
                    <!-- ... -->

                    <rule path="^/secure" role="ROLE_ADMIN" requires-channel="https"/>
                    <rule path="^/login" role="PUBLIC_ACCESS" requires-channel="https"/>
                    <rule path="^/" role="PUBLIC_ACCESS" requires-channel="https"/>
                </config>
            </srv:container>

        .. code-block:: php

            // config/packages/security.php
            use Symfony\Config\SecurityConfig;

            return static function (SecurityConfig $security): void {
                // ....

                $security->accessControl()
                    ->path('^/secure')
                    ->roles(['ROLE_ADMIN'])
                    ->requiresChannel('https')
                ;

                $security->accessControl()
                    ->path('^/login')
                    ->roles(['PUBLIC_ACCESS'])
                    ->requiresChannel('https')
                ;

                $security->accessControl()
                    ->path('^/')
                    ->roles(['PUBLIC_ACCESS'])
                    ->requiresChannel('https')
                ;
            };

To make life easier while developing, you can also use an environment variable, like requires_channel: '%env(REQUIRED_SCHEME)%'. In your .env file, set REQUIRED_SCHEME to http by default, but override it to https on production.

See :doc:`/security/access_control` for more details about access_control in general.

Note

An alternative way to enforce HTTP or HTTPS is to use :ref:`the scheme option <routing-force-https>` of a route or group of routes.

Note

Forcing HTTPS while using a reverse proxy or load balancer requires a proper configuration to avoid infinite redirect loops; see :doc:`/deployment/proxies` for more details.