-
Notifications
You must be signed in to change notification settings - Fork 100
HTTPS
This is obsolete. The HTTPS functionality from this plugin has largely been made part of Core: Improved HTTPS detection and migration in WordPress 5.7.
HTTPS is a prerequisite for progressive web apps. A service worker is only able to be installed on sites that are served as HTTPS. For this reason core's support for HTTPS needs to be further improved, continuing the great progress made over the past few years.
At the moment the plugin provides an API to detection of whether a site supports HTTPS. Building on that it's intended that this can then be used to present a user with an opt-in to switch over to HTTPS, which will also then need to include support for rewriting URLs from HTTP to HTTPS. See labeled GitHub issues and see WordPress core tracking ticket #28521.
You can optionally add an HSTS header (HTTP Strict-Transport-Security). This indicates to the browser to only load the site with HTTPS, not HTTP.
/**
* Adds an HSTS header to the response.
*
* @param array $headers The headers to filter.
* @return array $headers The filtered headers.
*/
add_filter( 'wp_headers', function( $headers ) {
$headers['Strict-Transport-Security'] = 'max-age=3600'; // Or another max-age.
return $headers;
} );This can prevent a case where users initially visit the HTTP version of the site, and are redirected to a malicious site before a redirect to the proper HTTPS version.
The wp_headers filter allows you to add a Strict-Transport-Security header for this.
Please see the documentation for the directives, including the max-age.