With more and more of your business’ sensitive information being digitalised, come increasing cyber-security concerns. Equipping your website with a basic defence mechanism is paramount to protect your data, content and privacy. The first step to take in that direction is to implement the HTTPS protocol.

 

What is HTTPS?

 

HTTPS – HyperText Transfer Protocol Secure – is an HTTP extension used to ensure secure communication over a computer network and on the Internet. It is a communication protocol, encrypted with a cryptographic protocol like Transport Layer Security (TLS) or Secure Sockets Layer (SSL), and is therefore also called HTTP over TLS or HTTP over SSL.

The main incentive to use HTTPS is authentication of the accessed website (assurance that one isn’t dealing with an impostor), as well as protection of the privacy and integrity of the data exchanged between a user and a server. The bidirectional encryption of communications protects against third-party interference, like eavesdropping or tampering of the information. HTTPS connections were primarily used to secure payment transactions and e-mails. Since 2018, HTTPS is used more often by all web users, mostly to protect page authenticity, secure accounts, and keep user communications, identity and web browsing private.

You know your website is secure when your URL bar looks like this:

On Google Chrome

On Apple Safari

 

 

s

Important note

The implementation of the HTTPS protocol on a website or application requires a set of certificates that are revalidated every year. Certificate Authorities, or CAs, issue those Digital Certificates, which are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity.

Be aware that your website CANNOT link to or display, on any of its pages, any resources from an unsecured web source (HTTP). If such links are found it will compromise your accreditation and you will no longer be considered a secured site.

At 4BIS, we systematically implement strong cyber-security for our clients by migrating their sites to the secured HTTPS environment. Because we are web development specialists we have the possibility to take care of getting the necessary certificates. We also ensure the proper configuration of the web server and the compliance of content.

 

How to implement HTTPS in Symfony 3

 

To force the HTTPS connection in a single route, use the schemes option and set it to https

#app/config/routing.yml

appbundle_route_identifier:
    path:     /route-name
    defaults: { _controller: fbismainBundle:Default:action_controller}
    # Force HTTPS
    schemes: [https]

 

The Security component provides another way to enforce HTTP or HTTPS via the requires_channel setting. This alternative method is better suited to secure an “area” of your website (all URLs under /admin) instead of manually specifying every route.

#app/config/security.yml
security:
    # ... #
    access_control:
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }

 

s

Warning

In Twig, the Symfony’s default template engine, using absolute_url will lead to HTTP and not to HTTPS, which causes a security threat.

Example:
{{ absolute_url(‘assets/images/podium/partners/partners-02.png’) }}
Result:
http://podium.presentyourstartup.nl/assets/images/podium/partners/partners-02.png

To resolve this, you might need to go for a workaround solution of compiling the full link manually.

Example:
{{app.request.scheme ~ ‘://’ ~ app.request.host ~ asset(‘assets/images/podium/partners/partners-02.png’)}}
Result:
https://podium.presentyourstartup.nl/assets/images/podium/partners/partners-02.png  

We hope you found this post useful, feel free to contact us if you have questions,

Until next time!

The 4BIS team.