Secure by Role

Secure by Role is a simple Drupal module for shopping sites and others where security is important. When a page is requested, SecRole checks to see if the user is a member of a list of roles which should be only served pages over a secure connection (HTTPS). If this is the case, and the connection is not already secure, the user is redirected to the page they are requesting over a secure connection.

Why is this module's approach better than simply locking down your entire site behind a secure connection? Because not all the visitors to your site will be doing things which demand a secure connection. Search engine spiders, for example, are not going to be sending credit card details; they may even be incapable of indexing pages behind HTTPS connections. Or maybe they're simply human users who are just browsing with no intent to buy anything - yet. But with SecRole, you can easily configure the site so that, once these users create an account, they are served over a secure connection and their credit card details are safe. Your web server can avoid the overhead incurred by encrypting and decrypting data sent or received over a secure connection until it's necessary.

SecRole has successfully been tested with both Apache and Lighttpd web server software. (If you've tested SecRole on another server, please let me know your results!) SecRole expects HTTPS connections to be served over port 443; if your web server is configured to use a different port, you will have to adapt SecRole's code before it will work properly for you. (Or you could just stop using the wrong ports for things, please.)

Merely installing this module is not enough to secure your site. Further, this module and/or your server can be misconfigured in a way which will cause you to lose all access to your site. Please read the README.txt file closely before enabling Secure by Role.