Upcoming Official Symfony Conferences
  1. Home
  2. Documentation
  3. Security
  4. How to Force HTTPS or HTTP for different URLs

You are browsing the Symfony 4 documentation, which changes significantly from Symfony 3.x. If your app doesn't use Symfony 4 yet, browse the Symfony 3.4 documentation.

How to Force HTTPS or HTTP for different URLs

4.1 version
Maintained
2.8 3.4 4.2 master
Unmaintained
2.7 3.0 3.1 3.2 3.3 4.0
edit this page

How to Force HTTPS or HTTP for different URLs

You can force areas of your site to use the HTTPS protocol in the security config. This is done through the access_control rules using the requires_channel option. For example, if you want to force all URLs starting with /secure to use HTTPS then you could use the following configuration:

  • YAML
    1
2
3
4
5
6
    # config/packages/security.yaml
security:
    # ...

    access_control:
        - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https }
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd">

    <config>
        <!-- ... -->

        <rule path="^/secure" role="ROLE_ADMIN" requires_channel="https" />
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    // config/packages/security.php
$container->loadFromExtension('security', array(
    // ...

    'access_control' => array(
        array(
            'path'             => '^/secure',
            'role'             => 'ROLE_ADMIN',
            'requires_channel' => 'https',
        ),
    ),
));

The login form itself needs to allow anonymous access, otherwise users will be unable to authenticate. To force it to use HTTPS you can still use access_control rules by using the IS_AUTHENTICATED_ANONYMOUSLY role:

  • YAML
    1
2
3
4
5
6
    # config/packages/security.yaml
security:
    # ...

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd">

    <config>
        <!-- ... -->

        <rule path="^/login"
            role="IS_AUTHENTICATED_ANONYMOUSLY"
            requires_channel="https"
        />
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    // config/packages/security.php
$container->loadFromExtension('security', array(
    // ...

    'access_control' => array(
        array(
            'path'             => '^/login',
            'role'             => 'IS_AUTHENTICATED_ANONYMOUSLY',
            'requires_channel' => 'https',
        ),
    ),
));

It is also possible to specify using HTTPS in the routing configuration, see How to Force Routes to Always Use HTTPS or HTTP for more details.

Note

Forcing HTTPS while using a reverse proxy or load balancer requires a proper configuration to avoid infinite redirect loops; see How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy for more details.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.