How to Force HTTPS using .htaccess

Posted 

4 min read

If you installed an SSL certificate for your domain, your next step should be to configure the application to serve all web traffic over HTTPS.

Unlike HTTP, where requests and responses are sent and returned in plaintext, HTTPS uses TLS/SSL to encrypt the communication between the client and the server.

There are several advantages of using HTTPS over HTTP, such as:

  • All the data is encrypted in both directions. As a result, sensitive information cannot be read if intercepted.
  • Chrome, Firefox, and all other popular browsers will mark your website as safe.
  • HTTPS allows you to use the HTTP/2 protocol, which significantly improves the site performance.
  • Google favors HTTPS websites. Your site will rank better if served via HTTPS.

The redirection can be set either on the application or server level. This article explains how to redirect the HTTP traffic to HTTPS using the .htaccess file.

If you have SSH root access to the Linux server where Apache runs, the preferred way is to set up the redirection in the domain’s virtual host configuration file. Otherwise, you can configure the redirection in the domain’s .htaccess file. Apache server reads the .htaccess file on each page request, which slows down the webserver.

Most control panels, such as cPanel allows you to force HTTPS redirection using a graphical user interface.

Redirect HTTP to HTTPS using .htaccess

.htaccess is a configuration file on a per-directory basis for the Apache webserver. This file is used to define how Apache serves files from the directory where it is placed and enable/disable additional features.

Generally, the .htaccess file is located in the domain root directory, but you can have other .htaccess files in the subdirectories.

You can edit the .htaccess file (or create a new one) either via SSH or FTP.

To redirect the HTTP requests to HTTPS, open the .htaccess file, and add the following code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Here is what each line of code does:

  • RewriteEngine On - Enables the Rewrite capabilities and allows us to use rewrite rules.
  • RewriteCond %{HTTPS} off - Checks if the connection is of the HTTP request type. When the condition is met, the next line is executed. We only want to redirect HTTP requests. If you omit this condition, you’ll get a redirect loop.
  • RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - Redirect all HTTP requests to HTTPS, with status code 301 (Moved Permanently). This rule will rewrite http://example.com/about to http://example.com/about or http://www.example.com/about to https://www.example.com/about

If there are other rules in the file add the rewrite code at the top of the file.

That’s it! After adding these lines, save the file and refresh your browser. All HTTP requests should be redirected to HTTPS.

When editing the .htaccess file, you do not need to restart the server because Apache reads the file on each request.

Here is another, more generic rule to redirect from HTTP to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • HTTP_HOST is the hostname the visitor requests when accessing the site. This variable represents your domain name.
  • REQUEST_URI is the URI that is used to access the page.

Redirect HTTP to HTTPS and WWW to Non-WWW

Any website can be accessed on two URLs: with the www prefix (such as www.example.com) and without www (such as example.com). Most website owners are choosing one version as a preferred domain and redirect to it.

To redirect from HTTP to HTTPS and from www to the non-www version of your site, add the following lines to the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

Here we have two conditions. The first one checks if the connection is not HTTPS, and the second checks whether the request begins with www. If one of the conditions is true (the [OR] operator), the rewrite rule is executed.

Redirect HTTP to HTTPS and Non-WWW to WWW

If you prefer the www version of your site use the following rule to redirect from HTTP to HTTPS and from non-www to the www

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Conclusion

We have shown you how to edit your .htaccess file to redirected all HTTP traffic to HTTPS.

If you have access to the Apache configuration files, for better performance, you should force HTTPS by creating a 301 redirect in the domain’s virtual host.

If you have any questions or feedback, feel free to leave a comment.