Fix SSL check with Cloudflare

As I read in other topics, Security Ninja seems to have issues to correctly determine whether the admin page is served via HTTPS, if Cloudflare is used. Since for larger public sites, Cloudflare has become quite common, I suggest to address this issue.

First of all, the warning text seems to be misleading, since the connection protocol could be checked trivially via $_SERVER[‘HTTPS’] or $_SERVER[‘SERVER_PORT’] or the whole access URL, or by parsing the response parameters of a dedicated request that could be made. So if Cloudflare is affecting the check, the certificate itself seems to be checked somehow? Probably the warning could contain more precisely what about the HTTPS connection or certificate did not pass.

Also the warning suggest to use define(‘FORCE_SSL_ADMIN’, true); to force HTTPS for the admin panel, but adding that option does not satisfy the warning, i.e. it still appears on subsequent tests.

While we use Cloudflare, also the origin server has a valid HTTPS certificate, so verifying that via local/loopback requests as well as remote requests should both show a valid certificate, successful and enforced (redirect + HSTS + preload on both, Cloudflare + origin server) HTTPS connection.

I’m happy to perform some debugging or logs, if it helps to narrow down or fix the underlying issue of the false warning :).

Best regards,

Micha

The page I need help with: [log in to see the link]