How to find out if you're using HTTPS without $_SERVER['HTTPS']

Question

I've seen many tutorials online that says you need to check $_SERVER['HTTPS'] if the server is connection is secured with HTTPS. My problem is that on some of the servers I use, $_SERVER['HTTPS'] is an undefined variable that results in an error. Is there another variable I can check that should always be defined?

Just to be clear, I am currently using this code to resolve if it is an HTTPS connection:

if(isset($_SERVER['HTTPS'])) {
    if ($_SERVER['HTTPS'] == "on") {
        $secure_connection = true;
    }
}

By any chances, those servers where $_SERVER['HTTPS'] is undefined are running on HTTPS? — Freddy
– Freddy, Commented Jul 23, 2009 at 23:50
Actually, one of them is my home WAMP server. And I don't believe it is running on HTTPS. — Tyler Carter
– Tyler Carter, Commented Jul 23, 2009 at 23:51
@TylerCarter, An alternative method is to use Secure cookies. Be careful with the gotchas though. — Pacerier
– Pacerier, Commented Mar 6, 2015 at 3:15

Gras Double · Accepted Answer · 2025-05-24 21:27:55Z

316

Basic Approach

This should always work even when $_SERVER['HTTPS'] is undefined:

function isSecure() {
    return
        (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
        || $_SERVER['SERVER_PORT'] == 443;
}

The code is compatible with IIS.

From the PHP.net documentation and user comments :

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note that when using ISAPI with IIS, the value will be "off" if the request was not made through the HTTPS protocol. (Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application).

Also, Apache 1.x servers (and broken installations) might not have $_SERVER['HTTPS'] defined even if connecting securely. Although not guaranteed, connections on port 443 are, by convention, likely using secure sockets, hence the additional port check.

Consideration for Load Balancers

If there is a load balancer between the client and your server, the above code doesn't test the connection between the client and the load balancer, but the connection between the load balancer and your server. To test the connection between the client and the load balancer, you would need to check the HTTP_X_FORWARDED_PROTO header. However, implementing this can be more complex; see latest comments below this answer.

Alternative Approach: Using Symfony's `Request` Class

Symfony provides a more robust way to determine whether the request is secure by using the Request class from its HttpFoundation component. This method accounts for headers set by proxies and load balancers, making it more reliable across different environments.

Installation

First, install the necessary package using Composer:

composer require symfony/http-foundation

Using `$request->isSecure()`

Then, use the Request class:

use Symfony\Component\HttpFoundation\Request;

$request = Request::createFromGlobals();
$isSecure = $request->isSecure();

This method first checks if the request is from a recognized proxy. If it is, it considers X-Forwarded-Proto. If the request is not from a recognized proxy, it considers $_SERVER['HTTPS'].

Handling Proxies and Load Balancers

If your application is behind a proxy or load balancer, you must explicitly set trusted proxies to ensure Symfony correctly interprets forwarded headers:

Request::setTrustedProxies(
    ['127.0.0.1', '192.168.1.1'], // Replace with actual proxy IPs
    Request::HEADER_X_FORWARDED_ALL
);

Request::HEADER_X_FORWARDED_ALL is a Symfony constant that includes all relevant forwarded headers, such as X-Forwarded-For (client IP), X-Forwarded-Proto (HTTPS detection), and others. This simplifies proxy handling by ensuring all forwarded headers are considered.

Alternatively, in a Symfony project, you can configure this in config/packages/framework.yaml:

framework:
    trusted_proxies: ['127.0.0.1', '192.168.1.1']
    trusted_headers: ['x-forwarded-for', 'x-forwarded-proto']

In YAML configuration, trusted headers are explicitly listed. x-forwarded-for allows Symfony to correctly determine the client IP when behind a proxy, while x-forwarded-proto ensures proper HTTPS detection. This gives fine-grained control over which headers are trusted.

Be aware that HTTP_X_FORWARDED_PROTO can be spoofed unless properly controlled. Always ensure that trusted proxy configurations are correctly set to avoid false HTTPS detections.

edited May 24 at 21:27

answered May 21, 2010 at 23:26

Gras Double

16.5k9 gold badges61 silver badges56 bronze badges

Sign up to request clarification or add additional context in comments.

13 Comments

ErichBSchulz Over a year ago

Nb: port 443 does not guarantee connection is encrypted

Brad Over a year ago

@DavidRodrigues That isn't true. You can use HTTP/HTTPS over whatever port you want. getservbyname() is only a reference, not reality, and does not in any way guarantee that HTTPS is running over port 443.

m.e.conroy Over a year ago

I had a small problem with $_SERVER['SERVER_PORT'] !== 443 I had to cast $_SERVER['SERVER_PORT] to an integer like so: intval($_SERVER['SERVER_PORT]) !== 443

Gras Double Over a year ago

1) The server port check is an extra for sheetty servers, best to remove it if it is not needed. 2) Notice it's a loose comparison in my answer ;)

jhummel Over a year ago

One more small issue I ran into today. The server was returning 'OFF' not 'off' - strtolower($_SERVER['HTTPS']) !== 'off' did the trick.

|

temuraru · Accepted Answer · 2013-04-18 07:35:14Z

137

My solution (because the standard conditions [$_SERVER['HTTPS'] == 'on'] do not work on servers behind a load balancer) is:

$isSecure = false;
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    $isSecure = true;
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
    $isSecure = true;
}
$REQUEST_PROTOCOL = $isSecure ? 'https' : 'http';

HTTP_X_FORWARDED_PROTO: a de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (load balancer) may communicate with a web server using HTTP even if the request to the reverse proxy is HTTPS http://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_request_headers

edited Apr 18, 2013 at 7:35

answered Apr 18, 2013 at 7:28

temuraru

1,5581 gold badge10 silver badges7 bronze badges

11 Comments

Reto Zahner Over a year ago

This is the solution if you use the varnish reverse proxy.

user4826347 Over a year ago

My issue got resolved with this solution. (PHP - AWS Elastic beanstalk)

AnthonyVO Over a year ago

This also work for the free HTTPS provided by CloudFlare.

Brian C Over a year ago

Worth considering, from a security point of view, the HTTP_X_FORWARDED_PROTO proxy workaround might allow a smart attacker to avoid SSL by saying they were using SSL when they weren't.

Shady Medic Over a year ago

This should be marked as the correct answer.

|

Quill · Accepted Answer · 2015-04-14 04:37:00Z

84

Chacha, per the PHP documentation: "Set to a non-empty value if the script was queried through the HTTPS protocol." So your if statement there will return false in many cases where HTTPS is indeed on. You'll want to verify that $_SERVER['HTTPS'] exists and is non-empty. In cases where HTTPS is not set correctly for a given server, you can try checking if $_SERVER['SERVER_PORT'] == 443.

But note that some servers will also set $_SERVER['HTTPS'] to a non-empty value, so be sure to check this variable also.

Reference: Documentation for $_SERVER and $HTTP_SERVER_VARS [deprecated]

edited Apr 14, 2015 at 4:37

Quill

2,7551 gold badge35 silver badges46 bronze badges

answered Jul 23, 2009 at 23:55

hobodave

29.4k4 gold badges74 silver badges77 bronze badges

5 Comments

Gabriel Sosa Over a year ago

use $_SERVER['SERVER_PORT'] can be tricky... for example ispconfig uses port 81 as secure port so lets say that 443 is the "default" port for ssl.

user50049 Over a year ago

@Gabriel Sosa - True, but caveats can be addressed on a case by case basis. @hobodave's answer will work for most.

paolo Over a year ago

Note that this will not work behind a reverse proxy. One might consider to check HTTP_X_FORWARDED_PROTO or HTTP_X_FORWARDED_SSL as well.

Roland Over a year ago

I agree with that last resort should be port number, so here is my check:

(((isset($_SERVER['HTTPS'])) && (strtolower($_SERVER['HTTPS']) == 'on')) || ((isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')))

which does not include port check at all. Feel free to add. :-)

Antony Gibbs Over a year ago

@paolo behind a reverse proxy SetEnvIf X-Forwarded-SSL on HTTPS=on will do the trick. But this will not work with REQUEST_SCHEME as a result in php seems better to use $_SERVER['HTTPS']

ling · Accepted Answer · 2017-12-11 13:10:48Z

18

Making my own function from reading all previous posts:

public static function isHttps()
{
    if (array_key_exists("HTTPS", $_SERVER) && 'on' === $_SERVER["HTTPS"]) {
        return true;
    }
    if (array_key_exists("SERVER_PORT", $_SERVER) && 443 === (int)$_SERVER["SERVER_PORT"]) {
        return true;
    }
    if (array_key_exists("HTTP_X_FORWARDED_SSL", $_SERVER) && 'on' === $_SERVER["HTTP_X_FORWARDED_SSL"]) {
        return true;
    }
    if (array_key_exists("HTTP_X_FORWARDED_PROTO", $_SERVER) && 'https' === $_SERVER["HTTP_X_FORWARDED_PROTO"]) {
        return true;
    }
    return false;
}

answered Dec 11, 2017 at 13:10

ling

10.1k4 gold badges58 silver badges54 bronze badges

Comments

Thamaraiselvam · Accepted Answer · 2018-03-27 06:22:48Z

17

This also works when $_SERVER['HTTPS'] is undefined

if( (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || $_SERVER['SERVER_PORT'] == 443 ){
    //enable secure connection
}

edited Mar 27, 2018 at 6:22

answered Jul 30, 2015 at 15:10

Thamaraiselvam

7,1128 gold badges51 silver badges73 bronze badges

2 Comments

John Max Over a year ago

They are some servers where $_SERVER['HTTPS'] is not defined yet https is enabled. How about that ?

Thamaraiselvam Over a year ago

@JohnMax SERVER_PORT is defined always that solves the undefined problem of HTTPS

thomas-peter · Accepted Answer · 2011-06-21 15:39:59Z

12

I have just had an issue where I was running the server using Apache mod_ssl, yet a phpinfo() and a var_dump( $_SERVER ) showed that PHP still thinks I'm on port 80.

Here is my workaround for anyone with the same issue....

<VirtualHost *:443>
  SetEnv HTTPS on
  DocumentRoot /var/www/vhost/scratch/content
  ServerName scratch.example.com
</VirtualHost>

The line worth noting is the SetEnv line. With this in place and after a restart, you should have the HTTPS environment variable you always dreamt of

edited Jun 21, 2011 at 15:39

answered Jun 21, 2011 at 14:13

thomas-peter

7,9646 gold badges48 silver badges59 bronze badges

3 Comments

Brad Koch Over a year ago

Better be sure HTTPS is genuinely working; that'll make the server lie to you if it isn't.

toon81 Over a year ago

Also you need the SetEnv module for this to work. It's enabled by default, but you never know what a server admin might disable.

dikirill Over a year ago

Very useful in case you are on the docker thru reverse proxy. Thanks!

Edvaldo Silva de Almeida Jr · Accepted Answer · 2015-11-23 14:20:44Z

8

If your are using Apache you may always count on

$_SERVER["REQUEST_SCHEME"]

to verify the scheme of the URL requested. But, as mentioned in other answers, it is prudent to verify other parameters before assuming SSL is really being used.

answered Nov 23, 2015 at 14:20

Edvaldo Silva de Almeida Jr

3,7235 gold badges31 silver badges61 bronze badges

1 Comment

Firas Abd Alrahman Over a year ago

it works on XAMPP but not on centos / apache2 + PHP ... so it is not trusted.

Nemosciri · Accepted Answer · 2020-09-04 12:54:46Z

6

I know this answer is late, but I combined a bunch of answers and made a simple function that works for all use cases.

Try this:

function is_ssl(){
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO']=="https"){ return true; }
elseif(isset($_SERVER['HTTPS'])){ return true; }
elseif($_SERVER['SERVER_PORT'] == 443){ return true; }
else{ return false; }
}

Then just use if, for example:

if(is_ssl()){
// WHAT TO DO IF IT IS SSL / HTTPS
}else{
// WHAT TO DO IF IT IS NOT SSL / HTTPS
}

This code works with Cloudflare, shared hosting providers, etc.

Enjoy.

answered Sep 4, 2020 at 12:54

Nemosciri

711 silver badge4 bronze badges

Comments

helvete · Accepted Answer · 2018-06-19 08:44:03Z

The REAL answer: ready for copy-paste into a [config] script

/* configuration settings; X=edit may 10th '11 */
$pv_sslport=443; /* for it might be different, as also Gabriel Sosa stated */
$pv_serverport=80; /* X */
$pv_servername="mysite.com"; /* X */

/* X appended after correction by Michael Kopinsky */
if(!isset($_SERVER["SERVER_NAME"]) || !$_SERVER["SERVER_NAME"]) {
    if(!isset($_ENV["SERVER_NAME"])) {
        getenv("SERVER_NAME");
        // Set to env server_name
        $_SERVER["SERVER_NAME"]=$_ENV["SERVER_NAME"];
    }
}
if(!$_SERVER["SERVER_NAME"]) (
    /* X server name still empty? ... you might set $_SERVER["SERVER_NAME"]=$pv_servername; */
}

if(!isset($_SERVER["SERVER_PORT"]) || !$_SERVER["SERVER_PORT"]) {
    if(!isset($_ENV["SERVER_PORT"])) {
        getenv("SERVER_PORT");
        $_SERVER["SERVER_PORT"]=$_ENV["SERVER_PORT"];
    }
}
if(!$_SERVER["SERVER_PORT"]) (
    /* X server port still empty? ... you might set $_SERVER["SERVER_PORT"]=$pv_serverport; */
}

$pv_URIprotocol = isset($_SERVER["HTTPS"]) ? (($_SERVER["HTTPS"]==="on" || $_SERVER["HTTPS"]===1 || $_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://") :  (($_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://");

$pv_URIprotocol is now correct and ready to be used; example $site=$pv_URIprotocol.$_SERVER["SERVER_NAME"]. Naturally, the string could be replaced with TRUE and FALSE also. PV stands for PortalPress Variable as it is a direct copy-paste which will always work. This piece can be used in a production script.

Toon Krijthe · Accepted Answer · 2012-10-28 00:24:59Z

3

I don't think that adding a port is good idea - specially when you got many servers with different builds. that just adds one more thing to remember to change. looking at doc's I think the last line of kaisers is quite good, so that:

if(!empty($_SERVER["HTTPS"]))
  if($_SERVER["HTTPS"]!=="off")
    return 1; //https
  else
    return 0; //http
else
  return 0; //http

seems like perfectly enough.

edited Oct 28, 2012 at 0:24

Toon Krijthe

53.6k38 gold badges151 silver badges204 bronze badges

answered Mar 14, 2012 at 19:43

sp3c1

311 bronze badge

Comments

Galvani · Accepted Answer · 2013-01-22 12:41:45Z

3

The only reliable method is the one described by Igor M.

$pv_URIprotocol = isset($_SERVER["HTTPS"]) ? (($_SERVER["HTTPS"]==="on" || $_SERVER["HTTPS"]===1 || $_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://") :  (($_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://");

Consider following: You are using nginx with fastcgi, by default(debian, ubuntu) fastgi_params contain directive:

fastcgi_param HTTPS $https;

if you are NOT using SSL, it gets translated as empty value, not 'off', not 0 and you are doomed.

http://unpec.blogspot.cz/2013/01/nette-nginx-php-fpm-redirect.html

answered Jan 22, 2013 at 12:41

Galvani

2462 silver badges9 bronze badges

Comments

Werezywolf · Accepted Answer · 2013-10-07 01:45:48Z

3

I find these params acceptable as well and more then likely don't have false positives when switching web servers.

$_SERVER['HTTPS_KEYSIZE']
$_SERVER['HTTPS_SECRETKEYSIZE']
$_SERVER['HTTPS_SERVER_ISSUER']

$_SERVER['HTTPS_SERVER_SUBJECT']

if($_SERVER['HTTPS_KEYSIZE'] != NULL){/*do foobar*/}

answered Oct 7, 2013 at 1:45

Werezywolf

311 bronze badge

1 Comment

Brad Over a year ago

This doesn't tell you anything about HTTPS usage with a load balancer/proxy.

Markus Zeller · Accepted Answer · 2014-03-09 14:56:24Z

3

Shortest way I am using:

$secure_connection = !empty($_SERVER['HTTPS']);

If if https is used, then $secure_connection is true.

answered Mar 9, 2014 at 14:56

Markus Zeller

9,2142 gold badges34 silver badges39 bronze badges

2 Comments

Xavi Esteve Over a year ago

echo (!empty($_SERVER['HTTPS'])?'https':'http'); gives you http or https

Tivie Over a year ago

,make it (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')

Paolo Bergantino · Accepted Answer · 2009-07-24 00:04:52Z

2

You could check $_SERVER['SERVER_PORT'] as SSL normally runs on port 443, but this is not foolproof.

edited Jul 24, 2009 at 0:04

Paolo Bergantino

490k83 gold badges523 silver badges437 bronze badges

answered Jul 23, 2009 at 23:51

pix0r

31.3k18 gold badges88 silver badges102 bronze badges

1 Comment

Tyler Carter Over a year ago

$_SERVER['SERVER_PORT'] does however.

toni rmc · Accepted Answer · 2014-08-10 02:50:04Z

2

What do you think of this?

if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')
    $scheme = 'https';
else
    $scheme = 'http';

answered Aug 10, 2014 at 2:50

toni rmc

8782 gold badges10 silver badges28 bronze badges

3 Comments

toni rmc Over a year ago

Yes there is. If you rely only on empty() PHP will exit with error if there is no 'HTTPS' index.

John Magnolia Over a year ago

"empty() is essentially the concise equivalent to !isset($var) || $var == false" - php.net/manual/en/function.empty.php

toni rmc Over a year ago

You are right. Funny I missed that one. I always thought empty() will fail if variable does not exist.

Karry · Accepted Answer · 2014-12-28 23:26:55Z

2

On my server (Ubuntu 14.10, Apache 2.4, php 5.5) variable $_SERVER['HTTPS'] is not set when php script is loaded via https. I don't know what is wrong. But following lines in .htaccess file fix this problem:

RewriteEngine on

RewriteCond %{HTTPS} =on [NC] 
RewriteRule .* - [E=HTTPS:on,NE]

answered Dec 28, 2014 at 23:26

Karry

4014 silver badges4 bronze badges

Comments

crmpicco · Accepted Answer · 2014-03-12 13:45:36Z

1

Here is a re-usable function that I have been using for a while. HTH.

Note: The value of HTTPS_PORT (which is a custom constant in my code) may vary on your envrionment, for example it may be 443 or 81.

/**
 * Determine if this is a secure HTTPS connection
 * 
 * @return  bool    True if it is a secure HTTPS connection, otherwise false.
 */
function isSSL()
{
    if (isset($_SERVER['HTTPS'])) {
        if ($_SERVER['HTTPS'] == 1) {
            return true;
        } elseif ($_SERVER['HTTPS'] == 'on') {
            return true;
        }
    } elseif ($_SERVER['SERVER_PORT'] == HTTPS_PORT) {
        return true;
    }

    return false;
}

answered Mar 12, 2014 at 13:45

crmpicco

17.3k31 gold badges142 silver badges223 bronze badges

Comments

John Smith · Accepted Answer · 2015-07-06 06:44:42Z

1

just for interest, chrome canary at the moment sends

HTTPS : 1

to the server, and depending on how the server is configured can mean that you get back the following

HTTPS : 1, on

This broke our application because we were testing if on, which it obviously isn't. At the moment, only chrome canary seems to do this, but its worth noting that things from canary generally land in "normal" chrome a short while later.

answered Jul 6, 2015 at 6:44

John Smith

1,8141 gold badge16 silver badges17 bronze badges

Comments

basis · Accepted Answer · 2015-07-29 08:46:11Z

1

If You use nginx as loadbalancing system check $_SERVER['HTTP_HTTPS'] == 1 other checks will be fail for ssl.

answered Jul 29, 2015 at 8:46

basis

1502 silver badges8 bronze badges

Comments

mikep · Accepted Answer · 2017-01-20 17:02:35Z

$secure_connection = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || (!empty($_SERVER['HTTP_HTTPS']) && $_SERVER['HTTP_HTTPS'] != 'off') || $_SERVER['REQUEST_SCHEME'] == 'https' || $_SERVER['SERVER_PORT'] == 443) ? true : false;

Code is checking anything possible and works also on IIS web server. Chrome since v44 do not set header HTTP: 1 so checking HTTP_HTTPS is OK. If this code does not match https it means your webserver or proxy server is poorly configured. Apache itself sets HTTPS flag correctly but there can be problem when you use proxy (e.g. nginx). You must set some header in nginx https virtual host

proxy_set_header   X-HTTPS 1;

and use some Apache module to set HTTPS flag correctly by looking for X-HTTPS from proxy. Search for mod_fakessl, mod_rpaf, etc.

Apps-n-Add-Ons · Accepted Answer · 2018-04-09 16:27:41Z

I have occasion to go a step further and determine if the site I'm connecting to is SSL capable (one project asks the user for their URL and we need to verify they have installed our API pack on a http or https site).

Here's the function I use - basically, just call the URL via cURL to see if https works!

function hasSSL($url) 
{
    // take the URL down to the domain name
    $domain = parse_url($url, PHP_URL_HOST);
    $ch = curl_init('https://' . $domain);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'HEAD'); //its a  HEAD
    curl_setopt($ch, CURLOPT_NOBODY, true);          // no body
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);  // in case of redirects
    curl_setopt($ch, CURLOPT_VERBOSE, 0); //turn on if debugging
    curl_setopt($ch, CURLOPT_HEADER, 1);     //head only wanted
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);    // we dont want to wait forever
    curl_exec($ch);
    $header = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($header === 200) {
        return true;
    }
    return false;
}

This is the most reliable way I have found to not only find out IF you are using https (as the question asks), but if you COULD (or even SHOULD) be using https.

NOTE: it is possible (though not really likely...) that a site could have different http and https pages (so if you are told to use http, maybe you don't need to change..) The vast majority of sites are the same, and probably should reroute you themselves, but this additional check has its use (certainly as I said, in the project where the user inputs their site info and you want to make sure from the server side)

garafajon · Accepted Answer · 2019-07-02 21:57:01Z

1

I used the main suggestion here and got annoyed at the "PHP Notice" in the logs when HTTPS was not set. You can avoid it by using the null-coalescing operator "??":

if( ($_SERVER['HTTPS'] ?? 'off') == 'off' ) {
    // redirect
}

(Note: not available prior to php v7)

answered Jul 2, 2019 at 21:57

garafajon

1,47816 silver badges15 bronze badges

Comments

Nadav · Accepted Answer · 2016-12-07 02:20:39Z

0

If you are using Incapsula's load balancer you'll need to use an IRule to generate a custom header for your server. I created an HTTP_X_FORWARDED_PROTO header that is equal to either "http" if the port is set to 80 and "https" if it is equal to 443.

answered Dec 7, 2016 at 2:20

Nadav

1,1451 gold badge11 silver badges23 bronze badges

Comments

codediesel · Accepted Answer · 2017-07-19 12:44:50Z

0

I would add a global filter to ensure everything I am checking is correct;

function isSSL() {

    $https = filter_input(INPUT_SERVER, 'HTTPS');
    $port = filter_input(INPUT_SERVER, 'SERVER_PORT');
    if ($https) {

        if ($https == 1) {
            return true;
        } elseif ($https == 'on') {
            return true;
        }
    } elseif ($port == '443') {
        return true;
    }

    return false;
}

edited Jul 19, 2017 at 12:44

answered Jul 19, 2017 at 12:27

codediesel

736 bronze badges

Comments

Fhulufhelo Mokhomi · Accepted Answer · 2018-06-27 14:10:34Z

0

This is how i find solve this

$https = !empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'on') === 0 ||
        !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
            strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;

return ($https) ? 'https://' : 'http://';

answered Jun 27, 2018 at 14:10

Fhulufhelo Mokhomi

6176 silver badges6 bronze badges

Comments

Zimba · Accepted Answer · 2020-08-18 15:49:37Z

0

If you don't have control of the web server & don't know which variables have been set, upload this php to find out:

<?php
echo "<br>1 ".$_SERVER["HTTPS"];
echo "<br>2 ".$_SERVER["SERVER_PORT"];
echo "<br>3 ".$_SERVER["HTTP_X_FORWARDED_PROTO"];
echo "<br>4 ".$_SERVER["HTTP_X_FORWARDED_SSL"];
echo "<br>5 ".$_SERVER["HTTP_HTTPS"];
echo "<br>6 ".$_SERVER["REQUEST_SCHEME"];
?>

<html>
<body>
<br>
Just cruising
</body>
</html>

answered Aug 18, 2020 at 15:49

Zimba

3,85524 silver badges27 bronze badges

Comments

Rotimi · Accepted Answer · 2021-05-15 12:53:12Z

0

I use cloudflare for my systems. I had to access the $_SERVER['HTTP_CF_VISITOR'] value.

$isSsl = false; 
    if (isset($_SERVER['HTTP_CF_VISITOR'])) {
        $cfDecode = json_decode($_SERVER['HTTP_CF_VISITOR']);
        if (!empty($cfDecode) && !empty($cfDecode->scheme) && $cfDecode->scheme == 'https') {
            $isSsl = true;
        }
    }
var_dump($isSsl);

answered May 15, 2021 at 12:53

Rotimi

4,7804 gold badges21 silver badges28 bronze badges

Comments

Amr · Accepted Answer · 2024-07-11 15:09:27Z

When you're using a load balancer that terminates SSL/TLS connections, the connection between the load balancer and your backend server might be plain HTTP. This can cause your PHP script to detect the connection as HTTP instead of HTTPS. To correctly identify the connection as HTTPS, you can check for headers set by the load balancer.

Many load balancers (including AWS Elastic Load Balancing) set specific headers to indicate that the original connection was secure. Here are some common headers:

X-Forwarded-Proto
X-Forwarded-Scheme
X-Forwarded-SSL

Using REQUEST_SCHEME and SERVER_PORT can also help in detecting whether the connection is secure (HTTPS) or not. These server variables provide additional information about the request scheme and the port used.

You can modify your PHP script to check these headers and determine if the original connection was HTTPS. Here's an example of how you can do this:

<?php
function isHttps() {
    if ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] === 'on' || $_SERVER['HTTPS'] == 1)) ||
        (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') ||
        (isset($_SERVER['HTTP_X_FORWARDED_SCHEME']) && strtolower($_SERVER['HTTP_X_FORWARDED_SCHEME']) === 'https') ||
        (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && ($_SERVER['HTTP_X_FORWARDED_SSL'] === 'on' || $_SERVER['HTTP_X_FORWARDED_SSL'] == 1)) ||
        (isset($_SERVER['REQUEST_SCHEME']) && strtolower($_SERVER['REQUEST_SCHEME']) === 'https') ||
        (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)) {
        return true;
    }

    return false;
}

// Usage
if ( isHttps() ) {
    echo "The connection is secure (HTTPS).";
} else {
    echo "The connection is not secure (HTTP).";
}
?>

anzz1 · Accepted Answer · 2025-10-02 18:44:20Z

Combining all the previous answers, here's a comprehensive function:

function isSSL() {
  return (($_SERVER['SERVER_PORT'] == 443) ||
  (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') ||
  (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') ||
  (!empty($_SERVER['HTTP_X_FORWARDED_SCHEME']) && strtolower($_SERVER['HTTP_X_FORWARDED_SCHEME']) === 'https') ||
  (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) !== 'off'));
}

Note that empty() also checks whether the variable is zero (including numerical zero 0 and string zero "0"), unlike isset(), so it is preferable here. This can be confusing at times since I wouldn't consider a string that contains "0" as "empty" like PHP does, but it works perfectly for our needs here.

And here's how you would redirect requests to HTTPS using PHP if you wish:

if (!isSSL()) {
  header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 307);
  exit();
}

user128026 · Accepted Answer · 2009-07-24 00:02:23Z

-8

As per hobodave's post: "Set to a non-empty value if the script was queried through the HTTPS protocol."

if (!empty($_SERVER['HTTPS']))
{
    $secure_connection = true;
}

answered Jul 24, 2009 at 0:02

user128026

6534 silver badges8 bronze badges

1 Comment

Tivie Over a year ago

make it (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')

Collectives™ on Stack Overflow

30 Answers 30

Basic Approach

Consideration for Load Balancers

Alternative Approach: Using Symfony's Request Class

Installation

Using $request->isSecure()

Handling Proxies and Load Balancers

13 Comments

11 Comments

5 Comments

Comments

2 Comments

3 Comments

1 Comment

Comments

Comments

Comments

Comments

1 Comment

2 Comments

1 Comment

3 Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related

Alternative Approach: Using Symfony's `Request` Class

Using `$request->isSecure()`