Force HTTPS Redirection using .htaccess

I have recently added an SSL certificate to my website, and was looking for a way to force HTTPS redirection so everyone ends up on the SSL version of the site. I quickly browsed the Internet to see if there was a ready-made solution to this and found some, but they all had one of two issues: one, they didn’t work at all; or two, they force SSL on both the main domain and all subdomains, which is something I did not want. Therefore, I had to create my own SSL redirection using Apache’s .htaccess file.

Forcing SSL on a domain is actually relatively simple when using the .htaccess file. This is the code I have been using lately, and it works perfectly:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www.)
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You can simply copy and paste this code into your root .htaccess file, and it should redirect all incoming traffic of your main domain to HTTPS. Make sure to replace with your actual domain name! Also, be careful: make sure to put these four lines before anything already present in your .htaccess file. This is especially important if you are using WordPress like I am, since WordPress has its own rewrite rules that will override these if they are put after WordPress’ code.

How does it work?

This .htaccess code is actually relatively straightforward:

  • The first line simply tells Apache that the next lines will be rewrite conditions and rules.
  • The second one adds a condition where HTTPS must not be enabled for the rule to be applied.
  • The third line adds another condition where the HTTP_HOST, i.e. everything after http:// and before /rest/of/url, must match the Regex string ^(www.)
    • The ^ indicates that the string must start with the following characters;
    • The (www.) indicates that there can be a www before the domain, but it is not required;
    • The simply indicates that the domain must be (replace this with your own domain name, of course).
    • You can remove the ^(www.) if you want your HTTPS redirection to be applied to all subdomains.
  • The final line tells Apache that if the conditions above are matched, the URL must be rewritten to the value next to RewriteRule.
    • ^(.*)$ indicates that the whole string (^ = beginning of string, (.*) = everything inclusively, $ = end of string) must be replaced;
    • https://%{HTTP_HOST}%{REQUEST_URI} indicates that the string must be replaced by https:// followed by the host and the request uri (the /rest/of/url part of the URL)
    • The [L, R=301] actually means two things: the L part represents last, which means that that if this rule is applied, no other rules directly under it will be applied; and the R=301 part means that the rule will be a 301 redirect (“moved permanently” redirection). These are put into square brackets because they are flags.

There you have it! Now all traffic coming to your site will be redirected to HTTPS, rendering your site more secure for everyone!

Comments are closed