summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.htaccess12
-rw-r--r--CHANGELOG.txt3
2 files changed, 13 insertions, 2 deletions
diff --git a/.htaccess b/.htaccess
index 246edc2..5ca1b08 100644
--- a/.htaccess
+++ b/.htaccess
@@ -56,6 +56,13 @@ DirectoryIndex index.php index.html index.htm
<IfModule mod_rewrite.c>
RewriteEngine on
+ # Set "protossl" to "s" if we were accessed via https://. This is used later
+ # if you enable "www." stripping or enforcement, in order to ensure that
+ # you don't bounce between http and https.
+ RewriteRule ^ - [E=protossl]
+ RewriteCond %{HTTPS} on
+ RewriteRule ^ - [E=protossl:s]
+
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
@@ -78,14 +85,15 @@ DirectoryIndex index.php index.html index.htm
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
+ # RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} !^www\. [NC]
- # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+ # RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
- # RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]
+ # RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 2ecf548..6b2c303 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,9 @@
Drupal 7.18, xxxx-xx-xx (development version)
-----------------------
+- Made the default .htaccess rules protocol sensitive to improve security for
+ sites which use HTTPS and redirect between "www" and non-"www" versions of
+ the page.
Drupal 7.17, 2012-11-07
-----------------------