// We define this function:

function isHttps()
{
        if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
                if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
                        // Client <=> Proxy is encrypted
                        return true;
                }
                else {
                        // Proxy <=> Server link is encrypted, but not Client <=> Proxy.
                        return false;
                }
        }

        if (isset($_SERVER['HTTPS'])) {
                if ($_SERVER['HTTPS'] === 'off') {
                        // ISAPI on IIS breaks the spec. :(
                        return false;
                }

                if ($_SERVER['HTTPS'] !== '') {
                        // Set to a non-empty value
                        return true;
                }
        }

        return false;
}


// Then, before we display the login form, we run this code:

                if (isHttps()) {
                        // Client can clearly use HTTPS, so let's enforce it for all connections.
                        header("Strict-Transport-Security: max-age=15768000");
                }
                else {
                        // This is the login form, not the request form. We need protection here.
                        $path = 'https://' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
                        header("Location: " . $path);
                }

// on our newinternal branch, we do much the same in a much more structured, OO-friendly way