Force Secure (SSL) Pages With .htaccess
Updated 11/3/2015: Added R=301 to ensure redirects are 301 permanent.
A while back, I shared a method for forcing a secure page using PHP. What if you want to force SSL (https://) on an entire website though? You don't want to have to put force-SSL PHP code on every page, right? Well, the website's .htaccess file comes to the rescue.
The .htaccess Code
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.com/$1 [R=301,L]
Obviously, you'll want to change "domain.com" to your domain. Another short snippet of code that has a big impact on your website!
![5 Ways that CSS and JavaScript Interact That You May Not Know About]()
CSS and JavaScript: the lines seemingly get blurred by each browser release. They have always done a very different job but in the end they are both front-end technologies so they need do need to work closely. We have our .js files and our .css, but...
![JavaScript Promise API]()
While synchronous code is easier to follow and debug, async is generally better for performance and flexibility. Why "hold up the show" when you can trigger numerous requests at once and then handle them when each is ready? Promises are becoming a big part of the JavaScript world...
![Better Pull Quotes with MooTools]()
Chris Coyier authored a post titled Better Pull Quotes: Don't Repeat Markup a while back. In his post he created great-looking pull quotes without repeating any content -- instead he uses jQuery to dynamically create the pull quotes. The following is the...
![Cross Browser CSS Box Shadows]()
Box shadows have been used on the web for quite a while, but they weren't created with CSS -- we needed to utilize some Photoshop game to create them. For someone with no design talent, a.k.a me, the need to use Photoshop sucked. Just because we...
Great tip but what if you have more than one domain to the same website? For example, you have davidwalsh.name now, but you could have had the domain davidwalsh.com too. How would you change the script so that it worked on both of your domains?
If you have a website that uses the www. prefix (the standardized way for top level domains) add www. into the .htaccess code. Otherwise Google will penalize you for duplicate content (your entire site would be one whole duplicate).
Great tip!
Good point!
And nice tip
Thanks for the venue.
I’m new to this web admin topic and would like some clarity on what is probably a very simple question for experienced webmasters.
is it correct that using basic authentication (.htaccess + htpassword) on an Apache server that allows only ssl will not result in clear text being sent from the browser to the server .. since after all it is an ssl connection?
Also, in general, is htaccess a reasonable way to secure directories given a 100% ssl site?
Thanks.
Thanks a lot..
I was searching this kind of thing….
@martin
For redirecting all non-SSL trafic, see http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/
Will this script work with subdomains and wildcard SSL certificates?
yourwebsite.com
subdomain1.yourwebsite.com
subdomain2.yourwebsite.com
When you force an SSL page for your website you also want to be sure and have any adds that are directed to your site to already include the https:// in the link to your site. Many search engine advertising sites are touchy with redirection even if it is only to send you to a secure page directly. This .htaccess code I believe will work on subdomains (remember you require a certificate for each subdomain from your web host service installed first), but you need to put the .htaccess code in each of your subdomains main folder. Thanks for the great article! =)
Is there a way to exclude ONE page from the global https? If there is one page that I want to keep http, how would I go about doing that?
Thanks for this tip!
I find SSL completely unconfigurable on Apache. What one would call SSL hell !
hello,
i have several page, for example, domain/mypage1 and domain/mypage2
how do i configure htaccess so when i come to domain/mypage2 i will redirect to https connection,
yes i have working well installed working well comodo SSL and had dedicated IP.
Thank you, this came in handy today.
/me thinks the following is much better
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}it re-writes based on incoming host and request uri
Thanks a bunch, that last commenter Notl’s method worked perfect for me in my case.
Thanks!