amuck-landowner

How To Force SSL Always Using HTACCESS

Phill Fernandes

New Member
If you want to force SSL everyone on your website just add these rules to a .htaccess file the htdocs (www) root of your webserver.

Hint: This also works on subdomains, just put it in the root of the folder at which the subdomain is pointed to.

Quote said:
RewriteEngine OnRewriteCond %{SERVER_PORT} !^443$RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
 

wlanboy

Content Contributer
And for lighttpd (within the config):

Code:
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}
 

joepie91

New Member
Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Also, you'll want to use HSTS, not just a redirect. With just a redirect, it's still trivially easy to intercept the redirect and force it over HTTP, thereby largely defeating the point of HTTPS to begin with.
 

wlanboy

Content Contributer
Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Agreed. My example is a lighttpd config - no .htaccess rule.
 

vld

New Member
Verified Provider
And for lighttpd (within the config):

$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}

What is the point of the

$HTTP["host"] =~ ".*" statement?
 
Last edited by a moderator:

mrblackhat

New Member
There is Force SSL plugins for WordPress & Joomla that will do the job if you are running one of those platforms
 
Don't use .htaccess unless you're on a shared hosting provider and have no other choice. It's slow (because there's lots of recursive stat calls for every pageload), and easy to mess up (accidentally removing it during deployment, etc.). Put it in your HTTPd configuration instead, in the configuration block for a particular VirtualHost if necessary.

Also, you'll want to use HSTS, not just a redirect. With just a redirect, it's still trivially easy to intercept the redirect and force it over HTTP, thereby largely defeating the point of HTTPS to begin with.

This is by far the way im going to be forcing ssl from now on. It may be hard to code all the pages to request https on existing projects or shared host so the .htaccess was a quick fix. As you clearly pointed out I understand setting it in the httpd.conf and I also need to learn more about HSTS to avoid the security risk in redirect. Super valuable share right there thanks.
 
Last edited by a moderator:
Top
amuck-landowner