Popular:
 Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Force Secure (SSL) Pages With .htaccess

By  on  

Updated 11/3/2015: Added R=301 to ensure redirects are 301 permanent.

A while back, I shared a method for forcing a secure page using PHP. What if you want to force SSL (https://) on an entire website though? You don't want to have to put force-SSL PHP code on every page, right? Well, the website's .htaccess file comes to the rescue.

The .htaccess Code

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.com/$1 [R=301,L]

Obviously, you'll want to change "domain.com" to your domain. Another short snippet of code that has a big impact on your website!

Request Metrics real user monitoring
Request Metrics real user monitoring
Request Metrics real user monitoring
Request Metrics real user monitoring

Recent Features

  • By
    CSS @supports

    Feature detection via JavaScript is a client side best practice and for all the right reasons, but unfortunately that same functionality hasn't been available within CSS.  What we end up doing is repeating the same properties multiple times with each browser prefix.  Yuck.  Another thing we...

  • By
    CSS 3D Folding Animation

    Google Plus provides loads of inspiration for front-end developers, especially when it comes to the CSS and JavaScript wonders they create. Last year I duplicated their incredible PhotoStack effect with both MooTools and pure CSS; this time I'm going to duplicate...

Incredible Demos

  • By
    AJAX Page Loads Using MooTools Fx.Explode

    Note: All credit for Fx.Explode goes to Jan Kassens. One of the awesome pieces of code in MooTools Core Developer Jan Kassens' sandbox is his Fx.Explode functionality. When you click on any of the designated Fx.Explode elements, the elements "explode" off of the...

  • By
    HTML5’s placeholder Attribute

    HTML5 has introduced many features to the browser;  some HTML-based, some in the form of JavaScript APIs, but all of them useful.  One of my favorites if the introduction of the placeholder attribute to INPUT elements.  The placeholder attribute shows text in a field until the...

Discussion

  1. Martin Fors

    Great tip but what if you have more than one domain to the same website? For example, you have davidwalsh.name now, but you could have had the domain davidwalsh.com too. How would you change the script so that it worked on both of your domains?

  2. Mark

    If you have a website that uses the www. prefix (the standardized way for top level domains) add www. into the .htaccess code. Otherwise Google will penalize you for duplicate content (your entire site would be one whole duplicate).

    Great tip!

    • Nick

      Good point!

      And nice tip

  3. Jon

    Thanks for the venue.
    I’m new to this web admin topic and would like some clarity on what is probably a very simple question for experienced webmasters.

    is it correct that using basic authentication (.htaccess + htpassword) on an Apache server that allows only ssl will not result in clear text being sent from the browser to the server .. since after all it is an ssl connection?

    Also, in general, is htaccess a reasonable way to secure directories given a 100% ssl site?

    Thanks.

  4. Salsan Jose

    Thanks a lot..
    I was searching this kind of thing….

  5. Werner

    @martin

    For redirecting all non-SSL trafic, see http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/

  6. Chris

    Will this script work with subdomains and wildcard SSL certificates?

    yourwebsite.com
    subdomain1.yourwebsite.com
    subdomain2.yourwebsite.com

  7. Eve Online Ships

    When you force an SSL page for your website you also want to be sure and have any adds that are directed to your site to already include the https:// in the link to your site. Many search engine advertising sites are touchy with redirection even if it is only to send you to a secure page directly. This .htaccess code I believe will work on subdomains (remember you require a certificate for each subdomain from your web host service installed first), but you need to put the .htaccess code in each of your subdomains main folder. Thanks for the great article! =)

  8. George

    Is there a way to exclude ONE page from the global https? If there is one page that I want to keep http, how would I go about doing that?

    Thanks for this tip!

  9. Frank

    I find SSL completely unconfigurable on Apache. What one would call SSL hell !

  10. needhelp

    hello,
    i have several page, for example, domain/mypage1 and domain/mypage2
    how do i configure htaccess so when i come to domain/mypage2 i will redirect to https connection,

    yes i have working well installed working well comodo SSL and had dedicated IP.

  11. Daniel

    Thank you, this came in handy today.

  12. NotI

    /me thinks the following is much better

    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    it re-writes based on incoming host and request uri

  13. SEO

    Thanks a bunch, that last commenter Notl’s method worked perfect for me in my case.

    Thanks!

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!