How To Force SSL Always Using HTACCESS

[Phill Fernandes]

If you want to force SSL everyone on your website just add these rules to a .htaccess file the htdocs (www) root of your webserver.

Hint: This also works on subdomains, just put it in the root of the folder at which the subdomain is pointed to.

RewriteEngine OnRewriteCond %{SERVER_PORT} !^443$RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

 

[wlanboy]

And for lighttpd (within the config):

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

 

[joepie91]

Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Also, you'll want to use HSTS, not just a redirect. With just a redirect, it's still trivially easy to intercept the redirect and force it over HTTP, thereby largely defeating the point of HTTPS to begin with.

 

[wlanboy]

Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Agreed. My example is a lighttpd config - no .htaccess rule.

 

[vld]

And for lighttpd (within the config):

$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}

What is the point of the

$HTTP["host"] =~ ".*" statement?

 

[wlanboy]

.*matches any character (except newline). One of many ways to define "any host".

 

[securewebcloud]

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

 

[Phill Fernandes]

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Your code achieves the same end by explicitly defining the URL to be redirected to where as the code I provided is implicit in the way it sets the hostname. The code I provided is intentionally written as such so it's Plug-n-Play.

 

[mrblackhat]

There is Force SSL plugins for WordPress & Joomla that will do the job if you are running one of those platforms

 

[securewebcloud]

Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Also, you'll want to use HSTS, not just a redirect. With just a redirect, it's still trivially easy to intercept the redirect and force it over HTTP, thereby largely defeating the point of HTTPS to begin with.

This is by far the way im going to be forcing ssl from now on. It may be hard to code all the pages to request https on existing projects or shared host so the .htaccess was a quick fix. As you clearly pointed out I understand setting it in the httpd.conf and I also need to learn more about HSTS to avoid the security risk in redirect. Super valuable share right there thanks.