We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Force HTTPS?

So in an ordinary PHP application if I wanted to force https I would put in each page something like this:

if($_SERVER["HTTPS"] != "on")
    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

But within the context of Phalcon is there some way to do this? Would I put that inside my dispatcher somewhere?

edited Jun '14

I don't think Phalcon has specific built-in functionality to provide this. One note though: $_SERVER["HTTPS"] won't even be set if the user is viewing via http, so you'll want to change your condition to:


Do you have access to the server? On my servers, I have one host that answers to HTTP requests, and one that answers to HTTPS requests. I've just set up a redirect on the HTTP host to forward all requests to the HTTPS host. I think that could be done with an .htaccess file as well, which I feel would be best, as it doesn't require firing up PHP.

If you don't have access, just paste this in the top of your index.php file. One

edited Jun '14

on the docs

$router->add('/login', array(
    'module' => 'admin',
    'controller' => 'session'
))->beforeMatch(function($uri, $route) {
    //Check if the request was made with Ajax
    if ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'xmlhttprequest') {
        return false;
    return true;

you can implement the check.

like here https://stackoverflow.com/questions/1175096/how-to-find-out-if-you-are-using-https-without-serverhttps


Phalcon use this:

    $request = new \Phalcon\Http\Request();



@blm14 Hi! Did you solved your problem? ;> How your code looks like and where have you put it? I am having this problem now.

edited Nov '14

I have a base controller that is parent class for other controllers it looks like this:


class ControllerBase extends \Phalcon\Mvc\Controller {

    public function beforeExecuteRoute() {

         * Force HTTPS. 
            $url = "https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
            return false;
        return true;

What do you think? I was wondering if this is going to work if request is other then GET? I am worry that it will not work.

Why You are not use 301 redirect in http-server settings? (.htaccess for Apache)


I have finally decided to make an server redirection in apache, as vitalikoziy suggested. Thanks @vitaliykoziy !

Full: https://forum.phalcon.io/discussion/4055/how-to-force-https#C13651

Usually you can force redirect SSL in PHP from .htaccess file by adding following code in it

# Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]