How Can I Reliably Verify HTTPS Connections When $_SERVER['HTTPS'] Is Unreliable?

Verifying HTTPS Connection Beyond $_SERVER['HTTPS']

In situations where $_SERVER['HTTPS'] remains undefined, hindering the conventional method of checking for HTTPS connections, an alternative approach is available.

The following function ensures accurate detection, regardless of whether $_SERVER['HTTPS'] exists:

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

This code operates seamlessly with IIS, as stated in the PHP documentation and user feedback.

• $_SERVER['HTTPS']: This variable is set when connecting via HTTPS, but in IIS, it may exhibit unexpected values like "off."
• $_SERVER['SERVER_PORT']: Typically, port 443 is associated with secure connections, making it a reliable fallback option.
• Apache 1.x and other platforms with potential configuration issues may omit the $_SERVER['HTTPS'] variable, while port 443 verification serves as a backup check.

Note that if a load balancer intermediaries between the client and your server, this code primarily examines the connection between the load balancer and your server, not the client-load balancer connection.

The above is the detailed content of How Can I Reliably Verify HTTPS Connections When $_SERVER['HTTPS'] Is Unreliable?. For more information, please follow other related articles on the PHP Chinese website!