How to Force HTTPS correctly

HTTP is the acronym for Hypertext Transfer Protocol. HTTPS is the same but adding “Secure“. These two protocols are used for the same thing, data transfer.

The basic difference between the two is the way the data travels. If the data is transferred via HTTP, it travels in the clear and is accessible to anyone who intercepts the communication. In contrast, the HTTPS protocol uses a secure connection through SSL encryption and therefore data travels safely from one place to another.

How to Force HTTPS correctly

What do I need for HTTPS?

You need to install an SSL certificate. SSL (Secure Sockets Layer) is a global security standard that allows encrypted data transfer between a browser and a web server. Probably the most important part of an SSL certificate is where it comes from. SSL certificates are issued by Certification Authorities (CA), which are trusted organizations in charge of verifying the identity and legitimacy of the entity requesting a certificate.

After installing an SSL certificate, your website is available both over HTTP and HTTPS.

Apache2

To force HTTPs correctly in Apache2, the best way is using the .htaccess First of all, we need to locate our .htaccess in the root public folder of our site, for example “public_html”.

And add the next lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For example, if we have a WordPress installation, our .htaccess would look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>

# BEGIN Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END Force HTTPS

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Nginx

To force HTTPs correctly in Nginx, the best way is catch-all port 80 (http) requests and redirect them to port 443 (https). This works when you know you want all configured sites to definitely only use https.

server {
    listen 80 default_server;

    server_name _;

    return 301 https://$host$request_uri;
}

In:

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x