How to force HTTPS with Apache .htaccess

How to force HTTPS with Apache .htaccess
May 25, 2019 Scriptylion James

So you know all about SSL. You need it for your website, because if you don’t have it, Chrome is going to show an error message. And that’s going to leave a bad taste in your mouth.

But… a fully SSL enabled website that doesn’t let users access the insecure version at all? That tastes much better.

That’s the problem that most users are going to be worried about, despite all the myriad benefits of having SSL enabled. So let’s work to that end.

Just because you have an SSL certificate setup (and make sure to do so before using these tips), doesn’t mean HTTPS is working correctly. A step webmasters often forget to take is to force all traffic over to the SSL-enabled version of their website.

Why would you want to do this? Because ideally, you don’t want Google to be indexing the less secure version of your website, and you don’t want users to be accessing it either. Having two versions of your website running on HTTP and HTTPS can also trip up search engines who see the two sites as having duplicate content.

So if your website runs on the Apache webserver, here’s the way to set that right. Bear in mind, you will want to ensure your website’s asset URLs are all relative and don’t include ‘http://”. For WordPress, this is best achieved with the SSL Insecure Content Fixer plugin, which offers a number of different levels of intensity.

The reason I prefer going this route as opposed to using a plugin which enables and forces SSL all in one, is that if for some reason a plugin like that doesn’t work, or you become otherwise locked out of your admin area, the SSL is controllable via an entirely separate file.

If your website URL begins with http://www. (most common), you’ll want to use this option. Simply place the provided code as near to the top of the ‘.htaccess’ file in your website’s ‘public_html’ folder as possible. You can often access this via FTP, or via cPanel’s file manager if you’re using the software.

# REDIRECT TO HTTPS FOR FORCED WWW SUBDOMAIN
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

If your website URL begins with http:// (less common, no ‘www’), you’ll want to use this option.

# REDIRECT TO HTTPS FOR FORCED ROOT DOMAIN
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

If for some reason you wanted to force SSL off, for example for development purposes, you could use this option.

# REDIRECT TO HTTP FOR TESTING PURPOSES
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

And there you have it, an easy way to control which version of your SSL-enabled website your users get redirected to if you’re hosted on Apache.