How to find out the site is on SSL or not on SSL? I'm working on a WP plugin for live transactions and it is important for plugin to check that the site (on which plugin is installed) is using SSL or not & I have to show a warning message on checkout page, if the site is not on SSL.
You can check the $_SERVER['HTTPS'] variable.
If it's an HTTPS request the 'HTTPS' value in the superglobal $_SERVER array will be set and will be set to 'on'. If it is not an HTTPS request it will not be set.
So to test if it's an HTTPS request in PHP you could do this:
if( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
...
}
Alternatively you could set it as a constant if you need to know if it's an HTTPS request several times in your code like so:
define('IS_HTTPS_REQUEST', isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on');
function is_exist_ssl($domain){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://".$domain);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);
if(!curl_error($ch)){
$info = curl_getinfo($ch);
if($info['http_code'] == 200){
return true;
}
return false;
}else{
return false;
}
}
usage:
$domain = 'uniapple.net';
if(is_exist_ssl($domain)){
echo "SSL is enabled!";
}else{
echo "No SSL";
}
//usage ::
if(!isset($_SERVER['REDIRECT_HTTPS']) || $_SERVER['REDIRECT_HTTPS'] != 'on'){
if(is_exist_ssl($domain)){
header('location : https://'.$domain);
}
}
There are a number of solutions to this problem described in this question. If you're using Apache Httpd and you can narrow down the path to a certain prefix, you could use SSLRequireSSL within a Location directive. Alternatively, you can check $_SERVER['HTTPS'] in PHP, if it's defined (it may depend on the web server, but it usually is).
More importantly, don't focus too much on checking the page you're serving is served over HTTPS. It is the responsibility of the client to check that, because, by the time it reaches the server, it's too late: it may have already been intercepted by a MITM attacker (who may even make the request over HTTPS even if the genuine client did not). I've put a longer explanation about this problem in this answer. From a UI point of view, you should make it clear that the user will enter a "secure" section and it's up to them to check that the subsequent requests will be over HTTPS.
It's not necessarily a bad thing to check that your server is indeed running over HTTPS, but it doesn't help much from a security point of view. What really matters is that all the links to that secure section must use https:// (and must not rely on automatic URL rewriting to do so).
Since this question is old, and the answers are a bit outdated, I thought I'd chime in!
I saw you were asking about a WordPress Plugin. WordPress has an is_ssl() function to check if a page is using ssl since WordPress 2.6.
Here's an example:
if ( is_ssl() ) {
print_r('SSL is running!');
} else {
print_r('Please install an ssl certificate!');
}