Enforcing HTTPS on Commerce-related pages

Abstract

Learn how to enforce HTTPS on Commerce related pages on your storefront.

There is a processor in the Sitecore.Commerce.XA.Foundation.common.config configuration file that is part of the <httpRequestBegin> pipeline, which enforces HTTPS on all Commerce-related pages when running a live storefront. If a visitor tries to use HTTP to access a page that was created with the _CommercePage foundation template, the processor redirects the page to HTTPS.

Note

The pipeline does not enforce HTTPS in the Experience Editor, or if the page was not created with the _CommercePage foundation template.

The processor is defined in the Sitecore.Commerce.XA.Foundation.common.config configuration file as follows:

<httpRequestBegin>
    <processor type="Sitecore.Commerce.XA.Foundation.Common.Pipelines.SecuredPageProcessor, Sitecore.Commerce.XA.Foundation.Common"
               patch:after="processor[@type='Sitecore.Pipelines.HttpRequest.ItemResolver, Sitecore.Kernel']" />
</httpRequestBegin>

If you do not want to enforce HTTPS on a specific storefront site, you can disable the Enforce SSL field in the Commerce Control Panel settings for the storefront (in /sitecore/Commerce/Commerce Control Panel/Storefront Settings/Storefronts/<storefront name>/Storefront Configuration).

If you do not want to enforce HTTPS on any sites in your installation, you can remove the processor from the configuration file.