Skip To main Content

Setting Up and Locking Down Secure Pages in Drupal

Abstract person at laptop with lock icon overlay

Drupal is one of the leading full-featured content management systems available today. One of the reasons the CMS remains so popular is because it is open source: anybody with a great idea can—and often will—contribute functionality in the form of a module. Secure Pages is one such module that brings fast SSL functionality to your website. By using this module, it's possible to protect user data without sacrificing speed.

Secure Pages is not required though to provide global https pages for either Drupal 7 or 8. A global setting can be set in settings.php. This module provides functionality for sites that require pages that can serve both http and https [mixed-mode]. As of September 2019 Secure Pages as not been ported to Drupal 8 and mixed-mode support has been removed from core. If mixed-mode is required a custom solution would need to be provided.

How to Use Drupal Secure Pages

Step 1: Obtain an SSL Certificate

Secure Pages will not work if your website doesn't have an active SSL certificate, which is required to encrypt transferred data. You should be able to obtain a certificate from your hosting provider, or you can seek out an external provider. 

Step 2: Download the Module

Once you've ensured that your SSL certificate is installed and functional, download the Secure Pages module.

Step 3: Extract the Module 

Next, you'll need to extract the .zip file of the module into your /sites/all/modulesfile. This step makes the module's files available to your website.

Step 4: Enable the Module

The final step for installing the module is to enable it from the Drupal admin interface. 

The next steps are necessary to finalize the setup and ensure that Secure Pages functionality works on your website. 

Step 5: Canonicalize the Website

If the .htaccess file is not configured to force a redirect to www or non-www, it's important to fix that. This step redirects all visitors to the same url, either with or without the www. The Secure Pages documentation explains in detail how to do this.

Step 6: Edit the Settings File

Finally, there are a few lines of code that must be added to the settings.php file. The critical step is to insert the following code somewhere in the php file:

$conf['https'] = TRUE;

Without this line, Drupal will not be able to handle SSL requests. The Secure Pages documentation also explains some optional steps, including setting the base url and adding the cookie domain, which may be necessary on some installations.

Step 7: Download Core Patches

There are bugs in every module. Simply install these patches to your root Drupal directory to correct known errors with the Secure Pages module.

Let Neon Rain Secure Your Website

Proper HTTPS handling is critical if users are to trust your website, but it can be difficult, even with a relatively straightforward module. Let the Drupal experts at Neon Rain help you, instead: give us a call at 303-957-3092 to get started.

Don't forgot to share this post!