i have a website that has a simple login form.

the form posts to login.php

inside login.php i check for username and password and redirect to a specific page.

All is good until i come across security. From PCI compliance i get this:

All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such re-direction occurs on the server side of the system (for example via the use of the HTTP “Location” header element) and that re-direction is not reliant upon the client (browser) side.

then i went into login.php and added this code at the top:

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
    header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
}

If i try to login after this change the login process seems to go through fine, except im not sure that this solved the problem.

notes:
i cant set the website to be: https://www.website.com because this will throw a security warning. I do have a valid certificate though.

any ideas how can i fix this issue?

thanks

edit:

the security warning is about accessing an insecure website, the red rectangle asking me if im sure i want to go to this website and i can add it to the exceptions list

if i add the certificate under m the exception list, this alert happens only once