Enforcing HTTPS
In your MyBB admin control panel you should double check to make sure the board URL is configured correctly.
- In Configuration --> Site Details ensure the board URL is https:// and not http://.
- In Configuration --> Site Details ensure the Secure Cookie Flag is set to yes.
Setting An HTTPS Redirect
We will also need to set up a fancy little redirect protocol, this makes sure that if someone accidentally types http://yoursitename.com/ it will automatically redirect to the correct https://yoursitename.com/ url. You will need to access your sites directory files (either through FTP, File Manager via cPanel or some other preferred method).
-
Please find the htaccess.txt file, rename it to .htaccess and save. If the file is already renamed you do not have to worry about this.
If after renaming your file in cPanels file manager you can no longer find it please navigate to Settings in the top right hand corner and check mark the box next to Show Hidden Files (dotfiles) then save settings.
Towards the top of the .htaccess file you will need to addRewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Adding Security Header
I would be lying if I tried to describe exactly what this is like I know what I'm talking about so instead the short version is: This ensures that if any images or what not are being loaded through your site over HTTP they will be denied and thrown out. Ensuring that you will keep your fancy green "Secure" flag instead of a circled "i" flag which is basically saying "MIXED CONTENT HERE".
-
In Templates & Themes --> Templates --> current template set --> Ungrouped Templates --> headerinclude add one of these meta tags in beneath the other meta tags.
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
This will have the user agent download all content over an HTTPS link, if the content is from HTTP then it ends up 'broken' or showing an error.
OR<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
This will end up blocking all insecure content.
This is a basic guide, if I have missed something important please poke me!
- 1