Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
in Q2A Core by
Is there any way to move the Q2A login to HTTPS? Moving the entire site is another options as it does allow private messages also to be encrypted. I have handled all plugins to be HTTPS safe but images are an issue. I can change the URL of images from http:// to // to be protocol free -- is this the right way to do? If so, why does not the ckeditor does this by default?
Q2A version: 1.8

1 Answer

+3 votes
selected by
Best answer
There's no option for this within Q2A. If you want only the login to be https, you could set this up at the server level or htaccess (i.e. redirect the login/register pages to https, redirect everything else on https back to http).

But the best option is to move everything to https. If it's insecure to send password details over http then it's also insecure to send your cookies over http too, once you are already logged in.

Images can be a problem but currently all browsers will load http images on a https page. If all images are 'local' (i.e. on your site) then you can rewrite them all to https://

It's more difficult for external images because you don't know whether the external server supports https. On my site I set up a "proxy" PHP script that fetches the image over http, but the URL is a https one on my site. I may release this as a plugin in the future if people are interested.
Thank you Scott. For me most images are internal. Is it safe to convert to src="//sitename.com" and not to src ="https://sitename.com" ? Can this be enforced for newly inserted images in Q2A?
For new images you might want to use a filter plugin with a simple str_replace of 'src="http://' to 'src="https://'

You can use the //example.com format, but I've found that causes more 404s, from old browsers that don't support it. Or maybe crappy bots/scrapers.

If you support https you may as well link to the https version which works fine on http. Plus if you have http/2 set up it means they load faster.
Thank you Scott. That was very useful. I'll share the details once done- guess most people will need it in coming days.
Please share the htaccess needed for everything to work. I did some tests and it is not working as expected.
Moving everything to https created issues for me. Some of the lugins like custom google search no longer work. As well images are not shown properly.