How To Force SSL Always Using HTACCESS

Discussion in 'Tutorials and Guides' started by Phill Fernandes, Aug 25, 2015.

  1. Phill Fernandes

    Phill Fernandes New Member

    13
    4
    Feb 21, 2015
    If you want to force SSL everyone on your website just add these rules to a .htaccess file the htdocs (www) root of your webserver.

    Hint: This also works on subdomains, just put it in the root of the folder at which the subdomain is pointed to.

     
  2. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    And for lighttpd (within the config):

    Code:
    $HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
            url.redirect = (".*" => "https://%0$0")
        }
    }
     
    Phill Fernandes likes this.
  3. joepie91

    joepie91 New Member

    459
    328
    Jun 19, 2013
    Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

    Also, you'll want to use HSTS, not just a redirect. With just a redirect, it's still trivially easy to intercept the redirect and force it over HTTP, thereby largely defeating the point of HTTPS to begin with.
     
  4. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    Agreed. My example is a lighttpd config - no .htaccess rule.
     
  5. vld

    vld New Member Verified Provider

    30
    27
    May 17, 2013
    What is the point of the

    $HTTP["host"] =~ ".*" statement?
     
    Last edited by a moderator: Aug 26, 2015
  6. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    .*matches any character (except newline). One of many ways to define "any host".
     
    Phill Fernandes likes this.
  7. securewebcloud

    securewebcloud New Member

    30
    4
    Jul 11, 2015
    Last edited by a moderator: Aug 29, 2015
    IntroVex-Kamran likes this.
  8. Phill Fernandes

    Phill Fernandes New Member

    13
    4
    Feb 21, 2015
    Your code achieves the same end by explicitly defining the URL to be redirected to where as the code I provided is implicit in the way it sets the hostname. The code I provided is intentionally written as such so it's Plug-n-Play.
     
  9. mrblackhat

    mrblackhat New Member

    5
    0
    Aug 30, 2015
    There is Force SSL plugins for WordPress & Joomla that will do the job if you are running one of those platforms
     
  10. securewebcloud

    securewebcloud New Member

    30
    4
    Jul 11, 2015
    This is by far the way im going to be forcing ssl from now on. It may be hard to code all the pages to request https on existing projects or shared host so the .htaccess was a quick fix. As you clearly pointed out I understand setting it in the httpd.conf and I also need to learn more about HSTS to avoid the security risk in redirect. Super valuable share right there thanks.
     
    Last edited by a moderator: Sep 1, 2015
    joepie91 likes this.