HTTPS issues with the implementation on daz3d.com
CypherFOX
Posts: 3,401
Greetings,
First and foremost let me acknowledge that purchasing is secure, and I'm very comfortable with that. That's not what this is about.
If you browse to this site from a bookmark, or by typing 'www.daz3d.com/shop' into the browser bar, you end up on the site via HTTP. The server does not auto-redirect to HTTPS. That's...okay, I get that it's maybe harder with a CDN in the way like CloudFlare.
If you click on an item, e.g. Harpwood Trail (the first item in the filtered list when hitting the shop today), you are still in HTTP mode.
This causes a problem, because clicking 'ADD TO CART' fails with:
XMLHttpRequest cannot load https://www.daz3d.com/dazstatic/cart/add/product/41481. Response for preflight is invalid (redirect)
What this actually means is that you are trying to make a cross-origin request (specifically the scheme, aka HTTP to HTTPS, is changing) which is blocked by the browser, quite appropriately.
Now there's a lot of fixes possible for this. You could add a CORS response that allows HTTPS access from HTTP endpoints on daz3d.com, for example.
But the best solution (for some definition of best that is admittedly not informed by DAZ store technical issues) is to issue a Strict-Transport-Security (HSTS) header.
Adding a header generated on your https site like:
Strict-Transport-Security: max-age=63072000; includeSubdomains;would make it so almost all even moderately recent browsers wouldn't even think to go to the http-only site for the next two years. They will rewrite the in-page on-site links to HTTPS automatically, after receiving it once, they won't even make later initial requests via HTTP, so you wouldn't need to redirect if that's complicated. (There are other capabilities like preload; I don't necessarily recommend that, but if you have the confidence to do it, that's great also!)
I'm not questioning the fundamental security of daz3d.com; it's actually functionality that's broken right now. You can get to the HTTP site trivially and accidentally, and when you do, it _doesn't work_.
Strict transport security is a great way to fix it, and makes everything encrypted-by-default, which is a good win. If HSTS isn't possible, then please set up an automatic redirect to HTTPS for any HTTP requests?
-- Morgan
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2025 Daz Productions Inc. All Rights Reserved.
Comments
You might try sending this directly as a message to @DAZ_Rawb. I sent him a couple of messages about some specific site technical things a couple of times (only a couple of times) and he was very helpful.
Greetings,
@vwrangler That's the name! I was racking my head, trying to remember who it was who had been talking about the HTTPS transition a while ago, but searching for 'https' in the forums doesn't work so well. :) Thanks, I'll drop a note...
-- Morgan