Symfony
sponsored by SensioLabs
Menu
  • About
  • Documentation
  • Screencasts
  • Cloud
  • Certification
  • Community
  • Businesses
  • News
  • Download
  1. Home
  2. Documentation
  3. Security
  4. How to Force HTTPS or HTTP for different URLs
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud
Search by Algolia

How to Force HTTPS or HTTP for different URLs

Edit this page

How to Force HTTPS or HTTP for different URLs

Tip

The best policy is to force https on all URLs, which can be done via your web server configuration or access_control.

You can force areas of your site to use the HTTPS protocol in the security config. This is done through the access_control rules using the requires_channel option. To enforce HTTPS on all URLs, add the requires_channel config to every access control:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
8
9
# config/packages/security.yaml
security:
    # ...

    access_control:
        - { path: '^/secure', roles: ROLE_ADMIN, requires_channel: https }
        - { path: '^/login', roles: PUBLIC_ACCESS, requires_channel: https }
        # catch all other URLs
        - { path: '^/', roles: PUBLIC_ACCESS, requires_channel: https }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd
        http://symfony.com/schema/dic/security
        https://symfony.com/schema/dic/security/security-1.0.xsd">

    <config>
        <!-- ... -->

        <rule path="^/secure" role="ROLE_ADMIN" requires-channel="https"/>
        <rule path="^/login" role="PUBLIC_ACCESS" requires-channel="https"/>
        <rule path="^/" role="PUBLIC_ACCESS" requires-channel="https"/>
    </config>
</srv:container>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// config/packages/security.php
use Symfony\Config\SecurityConfig;

return static function (SecurityConfig $security) {
    // ....

    $security->accessControl()
        ->path('^/secure')
        ->roles(['ROLE_ADMIN'])
        ->requiresChannel('https')
    ;

    $security->accessControl()
        ->path('^/login')
        ->roles(['PUBLIC_ACCESS'])
        ->requiresChannel('https')
    ;

    $security->accessControl()
        ->path('^/')
        ->roles(['PUBLIC_ACCESS'])
        ->requiresChannel('https')
    ;
};

To make life easier while developing, you can also use an environment variable, like requires_channel: '%env(SECURE_SCHEME)%'. In your .env file, set SECURE_SCHEME to http by default, but override it to https on production.

See How Does the Security access_control Work? for more details about access_control in general.

Note

An alternative way to enforce HTTP or HTTPS is to use the scheme option of a route or group of routes.

Note

Forcing HTTPS while using a reverse proxy or load balancer requires a proper configuration to avoid infinite redirect loops; see How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy for more details.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
We stand with Ukraine.
Version:

Symfony Security is backed by

Symfony Code Performance Profiling

Symfony Code Performance Profiling

Peruse our complete Symfony & PHP solutions catalog for your web development needs.

Peruse our complete Symfony & PHP solutions catalog for your web development needs.

↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

Avatar of xaav, a Symfony contributor

Thanks xaav for being a Symfony contributor

1 commit • 325 lines changed

View all contributors that help us make Symfony

Become a Symfony contributor

Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

Learn how to contribute

Symfony™ is a trademark of Symfony SAS. All rights reserved.

  • What is Symfony?
    • Symfony at a Glance
    • Symfony Components
    • Case Studies
    • Symfony Releases
    • Security Policy
    • Logo & Screenshots
    • Trademark & Licenses
    • symfony1 Legacy
  • Learn Symfony
    • Symfony Docs
    • Symfony Book
    • Reference
    • Bundles
    • Best Practices
    • Training
    • eLearning Platform
    • Certification
  • Screencasts
    • Learn Symfony
    • Learn PHP
    • Learn JavaScript
    • Learn Drupal
    • Learn RESTful APIs
  • Community
    • SymfonyConnect
    • Support
    • How to be Involved
    • Code of Conduct
    • Events & Meetups
    • Projects using Symfony
    • Downloads Stats
    • Contributors
    • Backers
  • Blog
    • Events & Meetups
    • A week of symfony
    • Case studies
    • Cloud
    • Community
    • Conferences
    • Diversity
    • Documentation
    • Living on the edge
    • Releases
    • Security Advisories
    • SymfonyInsight
    • Twig
    • SensioLabs
  • Services
    • SensioLabs services
    • Train developers
    • Manage your project quality
    • Improve your project performance
    • Host Symfony projects
    Deployed on
Follow Symfony
Search by Algolia