How to Force HTTPS Using Htaccess

Tutorial Updated:

HTTPS is a topic that’s becoming more and more of a hot button issue, especially since Google has come out a while ago stating that it is now a ranking factor in their algorithm, however small it may be.

force-https-htaccess

The trouble with HTTPS is that many people who aren’t familiar with web hosting, Apache, and Linux servers don’t know how to implement it properly. One of the biggest implementation issues that we’ve seen is people having trouble finding a good way to redirect users from the non HTTPS versions of their website to the HTTPS version.

For instance, let’s say you have your website located at https://www.example.com. What happens if a user lands on http://www.example.com? Or what about just http://example.com? How do you safely redirect everyone to the HTTPS root in a way that is both fast and search engine friendly (which are both the same thing now that website speed is also a ranking factor)?

The answer is by using your htaccess file on your server in order to perform the redirect using Apache. This will make everything much faster because it being done at the server level. DON’T use a WordPress plugin (if you’re hosting a WordPress site) for this because if the plugin breaks, then your entire redirect will break, and on top of that we’re not a big fan of using plugins for simple things that can be hard-coded (if you don’t know what an htaccess file is, then check out this page explaining what an htaccess file is and how to use it).

As far as the code itself goes, here is what you want to put at the top of your htaccess file:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

When you use this code on your own site, you’d replace “example.com” with your own domain name, whatever that happens to be. And again, this code is pasted at the top of your htaccess file, before anything else. One important thing to note is that if your domain has “www” in the URL then you’d want to make sure you add that, so your code would look like this:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

This code instructs the server to take anyone who visits your site and redirect them to the proper HTTPS root if they happen to type in anything else. This is good because it prevents both the non HTTPS version of your site from being accessible which prevents in from being indexed in search engines. This code uses a 301 redirect to accomplish the redirection which is usually the best way of redirection permanent changes like your site being on HTTPS instead of HTTP. If you’re using a cloud-based server, you might need to use this variant:


RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

We can’t tell you how many sites we’ve seen get this wrong, so test out this code and see if it works for you. Obviously we can’t guarantee how it will work on your specific server, but in our experience this has been the best way to accomplish forcing all pages to HTTPS. Also, if you’re worrying about whether or not this code works if someone tries to visit a non HTTPS version of an inner page, it does! It will redirect them to the same page, just on the HTTPS version.