upgrade-insecure-requests
header on your server.Code: Select all
UPDATE phpbb_posts
SET post_text = REPLACE(post_text, 'http://mydomain', 'https://mydomain')
WHERE post_text LIKE '%http://mydomain%';
Code: Select all
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
Header set Referrer-Policy "same-origin"
Header set Permissions-Policy: "accelerometer=(); camera=(); geolocation=(); gyroscope=(); magnetometer=(); microphone=(); speaker=(); usb=(); vibrate=(); sync-xhr=(self https://mydomain.com)"
</IfModule>
Code: Select all
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
You are not solving - you work around.
Code: Select all
Then in the ACP's Server Settings
Force server URL settings: Yes
Server protocol: https://
Domain name: domain.com
Server port: 443
Script path: /forum
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.)?domain.com$
RewriteRule ^ https://domain.com%{REQUEST_URI} [NC,L,R]
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com [NC]
RewriteRule (.*) https://domain.com/$1 [R=301,L]
Code: Select all
RewriteEngine On
#
##redirect from www to non-www
RewriteCond %{HTTP_HOST} ^www\.domain.com [NC]
RewriteRule (.*) https://domain.com/$1 [R=301,L]
#
##Force server URL settings 'http' to 'https' -> this doesn't work?
#RewriteCond %{HTTP_HOST} ^(www\.)?domain.com$
#RewriteRule ^ https://domain.com%{REQUEST_URI} [NC,L,R]
#
###### Security Headers - test with https://securityheaders.com
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
## Header set Content-Security-Policy ...
#Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
Header set Referrer-Policy "same-origin"
Header set Permissions-Policy: "accelerometer=(); camera=(); geolocation=(); gyroscope=(); magnetometer=(); microphone=(); speaker=(); usb=(); vibrate=(); sync-xhr=(self https://domain.com)"
</IfModule>