[GUIDE] How to make the user always get to https version of the site - even if he goes to http

My customers complained about error of lack of SSL certificate on their site although it was installed.

Put this file in the root of the site - via FTP and the issue will be resolved once and for all. Just don’t forget to unzip it first!
htaccess.zip (981 Bytes)

Suitable for all sites - with any domain name, you do not need to make any changes.
If you already have htaccess and you know what it is - or you already use it somehow - then open the text with a file editor and add that code there to your file.

SetEnvIf X-Forwarded-Proto https HTTPS=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
2 Likes

That is curious. I have seen this on various sites recently where a warning is created about SSL, even though it is installed. I haven’t seen it on any of my own sites but have wondered why it is happening.

On my own sites I force everything to https:// without www and also use HSTS preload.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^.*$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
2 Likes

I am always interested in ways to improve htaccess because it is so useful. You may like to see an excellent post by @brechtryckaert for security and performance.

I am currently using 90% of that on my websites with just a few additions.

1 Like

I don’t know much about it to be honest.
I just had a question - I contacted the ISP support.
When they solved the issue - I asked how they did it.
He told me about this file - and I just copied it and put it on all my sites now.
But such a problem - as described, I had only on some hosting - which do not do it automatically. How they do it - I do not know. Obviously, without redirection, anyone who goes to the http version of the site - will get a notice that the certificate is not there. Because it can’t be http. And something or someone does such redirection - but you can do it yourself.
But the fact remains - that on some hosts the problem is - on others not.
But I’m just in case throwing htacsess of the topic.
The method actually advised me administrator hosting nano lv

Oooh!
Very cool - thanks, I’ll read that thread.

And could you share your findings with explanations - something that would work for everyone - for static sites?
That might make a good guide.

I have hit this SSL warning error recently on some big news websites that definitely have an SSL certificate and redirects in place. I actually wondered if they might just have some non SSL links or resources that might be causing the web browser to stop with a warning.

Nowadays I think it is bad practice to build a website without SSL and my web host applies the certificate automatically when a new domain is added. Not having SSL will hurt your page speed and search ranking.

Sure I can post something on the original thread a little later. I think the changes I made included the addition of a 404 page, securing the htaccess file and also enabling WebP images with a Jpeg fallback.

Brecht is far more knowledgable on these points. If you look at his profile he has done a lot of work on website security.

1 Like

Maybe something with coriander to add some taste?

Something might be coming, yes :slight_smile: Multiple things really.

4 Likes

That’s exactly what I was looking for, as a very very newbie.

Uploaded the file to root (level above “www” folder), renamed it to “dot htaccess”, and voilà!

Very helpful community, thank you guys!

3 Likes

I am getting very useful answers here. Thanks to the community.

3 Likes