Securing your site

What is SSL?

SSL (Secure Sockets Layer) is an http protocol that allows information transmitted between Ubercart and your web browser (and more importantly, your customer's web browsers - to be encrypted. This makes the chances of a 3rd party, such as a hacker or other malicious user, from intercepting sensitive information while it is in transit to and from the website. You can tell when you are on a secure layer if the website you are on starts with https instead of the usual http. Most Internet shoppers these days will not buy from an online store if the site they are on doesn't contain an SSL certificate during the checkout process.

If you are using Ubercart to sell items, it is a good idea to secure your site using SSL and a Secure Certificate. The steps involved are few, and there are plenty of helpful guides around the internet.

Step 1: Get certified
The first thing you'll need is the certificate itself. There are many vendors out there, including VeriSign, GeoTrust, and RapidSSL. You can purchase the SSL from them directly, or find a reseller such as The SSL Store.

Purchasing an SSL certificate can take anywhere from a few minutes to several days, depending on the level of security your business requires. Your best option, for your money, is probably a QuickSSL Premium certificate which can be purchased from most vendors. It costs under $100 a year and contains a "single root certificate" which is important for browser compatibility. Cheaper SSL certificates, such as the $30-per-year certificates from GoDaddy, offer "chained" root certificates and tend to cause errors in some web browsers, most notably Safari for Mac.

Instructions for installing the SSL itself vary by server. For instance, to install an SSL on Apache is different than Windows, and Plesk users have an interface that allows for easy uploading-and-installation of the certificate. Here's a good guide for some common certificates: http://www.digicert.com/ssl-certificate-installation.htm

Note: If you get an error (or connection issue) when trying to connect to your site on the https protocol, it may be that your server needs to be configured for SSL. Contact your hosting provider and ask them to help you out - OpenSSL is commonly bundled with most PHP installations.

Step 2: Get the modules
Once you have your SSL certificate installed, you'll need to tell Drupal what to do with those secure paths. The first thing you'll need is the Secure Pages module, found at http://drupal.org/project/securepages. Install and enable it.

Additionally, you should get the Secure Pages Hijack Prevention module, as this can help further secure your site, especially if you plan on serving non-SSL content. This is pretty common for most sites (you probably don't want to secure every page on your site) so downloading and enabling this module is a good idea.

Step 3: Configure your secure paths
Now that you've enabled the Secure Pages module, you'll need to configure it. Simply go to http://example.com/admin/build/securepages (example.com being your actual site's URL) and begin to configure. The general rule of thumb, for starters, is any page that contains sensitive information - or forms which will ask for sensitive information - should be secured. This should include all checkout pages, the admin section, your user pages, and login page as well.

Probably the most sensible setting is to configure Secure Pages to only secure certain paths (rather than telling it which ones to include, although depending on your needs, this may change). Here's a list of some common paths that you should protect:

node/add*
node/*/edit
user/*
admin/*
cart*
uc_paypal*
cgi-bin/webscr
taxes/calculate

What will happen, depending on your Secure Pages config, is that when a visitor goes to a path in this list (for example, /cart or /cart/checkout), the browser will seamlessly redirect them from http://example.com/cart to https://example.com/cart, resulting in a securely encrypted page.

Note: Some of these paths, including uc_paypal and cgi-bin/webscr in this example, are important for store communications when completing a PayPal transaction. In the event that a PayPal IPN notification is received, it will go to a URL at https://example.com/uc_paypal/ipn/ORDER# - thereby triggering the completion of the order. Obviously it'll be important to set this up for SSL otherwise you could potentially lose those order notifications.

Paths to ignore
You'll notice that Secure Pages has the option for you to "ignore" pages - this means they will be called using whatever protocol the browser is currently on, and won't be forced to http or https as the paths in the earlier configuration box would be. Some examples for paths to ignore are:

user/autocomplete/*
logout

Generally these are paths that are called by AJAX callbacks in other modules, such as Views or Taxonomy. If you receive an "error occurred" message when dealing with forms containing AJAX elements, there's a good chance you're on an https page and the AJAX form element is calling a non-https page, resulting in the error.

Now you should have an e-commerce site that your customers can feel safe purchasing from, because they know their sensitive information is encrypted. For more information and continued discussion, visit the original forum post here: http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protect