Many web applications deal with data considered to be confidential or sensitive in nature. Applications like this should use SSL to encrypt the traffic between the server and the user (you are using SSL...right?). Most web servers, however, are not configured to only accept a secure connection.

The programmatic method for redirecting an insecure request over http to one using https relies on checking the https variable in the CGI scope. If it is not set to on, then we know that a redirect is needed to enforce https.

The following code uses the tag to send a 301 HTTP status code, which tells the browser that the requested page is permanently relocated, followed by a Location header to refer the client to the correct URL, which uses https. The reset is used to throw away any content already generated to this point in the code so that it is not sent back to the client.

view plain print about
1<cfif cgi.https IS NOT "on">
2 <cfcontent reset="true">
3 <cfheader statuscode="301" statustext="Use SSL">
4 <cfheader name="Location" value="https://#cgi.http_host#">
5 <cfabort>
6</cfif>

The above example relies on the application to perform the SSL check. If you have control over your web server, you may be able to move the check up a level by using URL rewriting or a web server-specific setting.