Jump to content
yggdrasil

Switch to HTTPS for admin side

Recommended Posts

It would be nice if WHMCS developers decide to switch to HTTPS for all links on domains/urls on the admin side, or at least give us a choice.

Its very annoying that when you open a customer domain or another URL it defaults to HTTP only. I understand this comes from legacy code, but since the web is moving towards https only, I see more sites with HTTPS than without it. In particular since most browsers now complain the site is insecure. 'm talking about the links in the admin and customer profile. My installation and site runs only under https for years but opening the www button and other links from the admin interface still does this with http://example.com for customers domains and it forces me to manually edit the url in the browser when some site complaints about the certificate. In most cases I also need to test or debug the https version only so I don't care about opening the HTTP site.

Share this post


Link to post
Share on other sites

The sites your opening are not coded properly then.

Sites should be redirecting visitors (without any error) to the https:// equivalent. Usually this is done via .htaccess redirect.

Share this post


Link to post
Share on other sites
51 minutes ago, slim said:

The sites your opening are not coded properly then.

Sites should be redirecting visitors (without any error) to the https:// equivalent. Usually this is done via .htaccess redirect.

That's on the client running the site, not the WHMCS admin clicking a link to go there from within WHMCS.
As for that link being http or https, not all sites have gone secured, so it's a toss up as to which will be correct in all cases. Hard to predict which it will be...

Share this post


Link to post
Share on other sites
1 hour ago, slim said:

The sites your opening are not coded properly then.

Sites should be redirecting visitors (without any error) to the https:// equivalent. Usually this is done via .htaccess redirect.

Did you even read what I posted? I'm talking here about WHMCS and the links you click on WHMCS staff side, not how someone has his website/server configured.

Share this post


Link to post
Share on other sites
11 minutes ago, bear said:

That's on the client running the site, not the WHMCS admin clicking a link to go there from within WHMCS.
As for that link being http or https, not all sites have gone secured, so it's a toss up as to which will be correct in all cases. Hard to predict which it will be...

Yes, I understand this is why it should be optional. Maybe a switch on the settings to default links on domains to HTTP or HTTPS (admin choice). While not everyone has switched to HTTPS yet, I would say that the % now is more inclined to HTTPS than HTTP. I personally would prefer to open them in HTTPS now.

Share this post


Link to post
Share on other sites

Yes, I read and fully understood what you wrote. My point is valid - WHMCS's default behavior is perfectly fine linking to HTTP:// because sites should be coded CORRECTLY to redirect visitors to https:// 

Any site that doesn't has a technical issue that should be solved.

Edited by slim

Share this post


Link to post
Share on other sites
3 hours ago, yggdrasil said:

Yes, I understand this is why it should be optional.

I know you understand, I was referring to slim's post (and why I'd quoted it). 😉
I agree there could and should be a setting to choose, but it's like so many things in this system (hard coded UK dates on domain sync, for instance), it gets encoded and untouchable or needs yet another hook. 

Share this post


Link to post
Share on other sites
8 hours ago, slim said:

Yes, I read and fully understood what you wrote. My point is valid - WHMCS's default behavior is perfectly fine linking to HTTP:// because sites should be coded CORRECTLY to redirect visitors to https:// 

Any site that doesn't has a technical issue that should be solved.

No, your point is not valid. Nobody has control on what other websites do on the Internet. Some domains in our WHMCS are not hosted with us, we can't do anything if they are not redirected to HTTPS by default. Your logic is that we should contact them and tell them to please redirect to HTTPS so our staff or admin can avoid typing S in the address bar manually? Good luck with that! If I want HTTPS I should request that, not HTTP. Why would I request an insecure protocol when I want the secure one?

Second, using HTTP and not redirecting to HTTPS is not a technical issue, it's a choice. Its not incorrectly coded either. Some domains might prefer to stick to HTTP for their own reasons, again, why should I or you or anyone else tell someone how they should manage their websites? You don't seem to realize that we are not talking here about what people do on their websites/server. Some domains might not even resolve because they have no hosting, or some are not redirect to anywhere...and are just dead. This has nothing to do with how websites are setup on a server. You are confusing things. We are talking here about how you open links on the admin side inside WHMCS for customers domains, not how people decide to setup their websites on what ever cloud or service they picked.

You also contradict your own point. First you say WHMCS works perfectly fine (using HTTP on links) but then claim it's a technical issue on those sites...

Why would you use HTTP and then redirect to HTTPS when you can use HTTPS directly? If you want one protocol, you should request exactly that, not something else and expect a redirection. Redirections have overhead, and they also take longer. Even if all websites in the world use HTTPS tomorrow, it would be really moronic to still link all websites to HTTP instead of HTTPS (because you assume they should redirect). Why would you prefer to have your browser take longer to load a site on every single click? Why would you prefer a web server to redirect first when you can request the correct request from start?

Websites redirect to HTTPS because a lot of older software and protocols (just like WHMCS) use to HTTP by default. This is the main reason. It's a temporary fix, not a solution, you are not supposed to stick to redirections in the long run.

If you want to go more technical, using HTTP by default means you are connecting with an insecure handshake first, before redirecting to HTTPS. In fact its not even allowed under HSTS anymore which means redirecting from HTTP to HTTPS is completely avoided, you should not even accept HTTP connections at all if you are planning to go that route:

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Edited by yggdrasil

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines