purpleslurple
commented
1 year ago Add note to documentation about serving over http (e.g. via http://localhost:8000)
In this scenario, when you serve your PHP script over HTTP (not HTTPS), and your PHP script uses $fcontents = @file($theurl); to retrieve a page with the protocol https (e.g., https://www.w3.org/TR/selection-api/), here's how the encryption works:
-
Client to Server (PHP script to target URL):
- The request made by your PHP script to
https://www.w3.org/TR/selection-api/will be unencrypted. - The URL, query parameters, and other request data will be sent over plain HTTP from your PHP script to the target server (
www.w3.org).
- The request made by your PHP script to
-
Target Server's Response (HTTPS to PHP script):
- The response from the target server (
www.w3.org) to your PHP script will be encrypted. - The target server will use HTTPS to send the response back to your PHP script over an encrypted channel.
- The response from the target server (
In this case, the encryption is established between the target server and your PHP script, but not between your PHP script and the server that hosts your PHP script. The request made by your PHP script to the target server (www.w3.org) will be sent over plain HTTP, and the response from the target server back to your PHP script will be encrypted over HTTPS.
However, since your PHP script is not using HTTPS for its own communication, any potential sensitive information in the request (such as query parameters) could be exposed while being transmitted from your PHP script to the target server.
// Automatically detect protocol $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https://' : 'http://'; $file_location = $protocol . $_SERVER['HTTP_HOST'] . $file_location;