How to Force HTTPS using .htaccess

Tanvi Somani -

Introduction

Before we begin talking about how to Force HTTPS using .htaccess, let's briefly understand – What is https?

HTTPS, short for Hypertext Transfer Protocol Secure, is a secure version of HTTP used for secure communication over the Internet. It ensures that data transmitted between a website and a user's browser is encrypted, protecting it from potential hackers.

With HTTPS, sensitive information like passwords and credit card details remain private, preventing unauthorized access. The use of HTTPS has become increasingly important for websites, not only to safeguard user data but also for better search rankings on Google and other search engines.

In this tutorial, you will force HTTPS using .htaccess. We will also address a few FAQs on how to Force HTTPS using .htaccess.

Advantages of HTTPS

  1. Security: HTTPS encrypts data, ensuring confidentiality and protecting against hackers.
  2. Data Integrity: It verifies that data remains unchanged during transmission, preventing tampering.
  3. Authentication: HTTPS establishes trust through the use of digital certificates, validating website identity.
  4. SEO Boost: HTTPS websites enjoy higher search rankings on Google, improving visibility and traffic.
  5. User Trust: HTTPS reassures visitors that their information is secure, promoting confidence and increasing conversions.

Redirect HTTP to HTTPS using .htaccess

.htaccess is a per-directory configuration file for the Apache web server. This file is used to specify how Apache serves files from the directory in which it is installed, as well as to enable and disable additional features.

You can find the .htaccess file in the domain root directory, but it is possible to have additional .htaccess files in subdirectories.

SSH or FTP can be used to edit (or create) the .htaccess file.

Open the .htaccess file and add the following code to redirect HTTP requests to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Here is what each line of code does:

  • RewriteEngine On⁣ — Allows us to use rewrite rules by enabling the Rewrite capabilities.
  • RewriteCond %{HTTPS} off⁣ — Determines whether the connection is of the HTTP request type. The next line is executed when the condition is met. All we want to do is redirect HTTP requests. If this condition is not met, you will get a redirect loop.
  • RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]⁣ — With the status code 301, redirect all HTTP requests to HTTPS (Moved Permanently). This rule will rewrite http://example.com/about to http://example.com/about or http://www.example.com/about to https://www.example.com/about

If the file contains other rules, place the rewrite code at the top.

That's all! After you've added these lines, save the file and restart your browser. All HTTP requests should be routed through HTTPS.

You do not need to restart the server after editing the .htaccess file because Apache reads it with each request.

Another, more general rule for redirecting from HTTP to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • The hostname requested by the visitor when accessing the site is HTTP HOST. Your domain name is represented by this variable.
  • The URI used to access the page is REQUEST URI.

Redirect HTTP to HTTPS and WWW to Non-WWW

Any website can be accessed via two URLs: with and without the www prefix (for example, www.example.com) (such as example.com). The majority of website owners select one version as their preferred domain and redirect to it.

To redirect from HTTP to HTTPS and from www to non-www, add the following lines to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

We have two conditions here. The first determines whether the connection is HTTPS, and the second determines whether the request begins with www. The rewrite rule is executed if one of the conditions (the [OR] operator) is true.

Redirect HTTP to HTTPS and Non-WWW to WWW

If you prefer your site's www version, use the following rule to redirect from HTTP to HTTPS and from non-www to www.

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

FAQs to Force https using .htaccess

Why should I force HTTPS? 

Forcing HTTPS ensures secure communication between your website and users. It encrypts data, preventing unauthorized access, and builds trust with visitors.

What is .htaccess?

.htaccess is a configuration file used by Apache web servers to control website behavior, including redirecting HTTP to HTTPS.

Are there any requirements for using .htaccess to force HTTPS? 

Yes, your website should be hosted on an Apache web server, and the mod_rewrite module should be enabled.

Where can I find my .htaccess file? 

The .htaccess file is usually located in the root directory of your website. Ensure it is visible and editable.

Will forcing HTTPS affect my website's SEO? 

No, forcing HTTPS can improve your SEO. Google prefers secure websites and may give them a slight rankings boost, leading to better visibility.

How can I test if HTTPS is properly forced on my website? 

Access your website using HTTP and check if it automatically redirects to the HTTPS version. You can also use online tools like "Why No Padlock" or browser extensions.

What should I do if forcing HTTPS breaks my website? 

If you encounter any issues, double-check the code for errors and ensure your SSL certificate is correctly installed. You can also seek assistance from your web hosting provider.

Conclusion

We demonstrated how to modify your .htaccess file to redirect all HTTP traffic to HTTPS.

If you have access to the Apache configuration files, you should force HTTPS by creating a 301 redirect in the domain's virtual host for better performance.