Forcing SSL and WWW using .htaccess

Question

I would like to know if this code in .htaccess for forcing SSL and WWW in URL is correct, because with another codes I usually get redirect loop, e.g. RewriteCond %{HTTPS} !=on and now it works like a charm (suspiciously). Also, is possible to write it better/simplier?

# Force to SSL
RewriteCond %{HTTP:HTTPS} !1
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# Force to WWW
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

Possible duplicate of [Force SSL/https using .htaccess and mod\_rewrite](http://stackoverflow.com/questions/4398951/force-ssl-https-using-htaccess-and-mod-rewrite). You might also try [Code Review Stack Exchange](http://codereview.stackexchange.com/). — jww, Jul 12 '14 at 08:55
That is not what I specifically searching. I will try Code Review Stack Exchange, thank you. — user2406937, Jul 12 '14 at 09:08

score 58 · Accepted Answer · answered May 02 '16 at 15:50

58

That's a bit simpler.

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.domain\.com$ [NC]
RewriteRule ^(.*)$ https://www.domain.com/$1 [L,R=301]

answered May 02 '16 at 15:50

Aley

7,770
6
40
53

could you please explain the conditions as well? I am bit novice here. – Sam Jan 07 '17 at 12:39
1

Line 2 checks if HTTPS is off then we have an OR condition with line 3. Line 3 checks if hostname is different from www.domain.com. If one of them gives true, last line takes action and redirects "R=301" with HTTP Code 301 to https://www.domain.com/ – Aley Jan 07 '17 at 16:51
1

By this all the subdomains gets redirected as well. for eg. `api.domain.com` changes to `www.domain.com`.. is there any way to add `www` only to root `domain.com` and not any subdomain. – Sam Jan 09 '17 at 11:44
1

this will not redirect `https://example.com` to `https://www.example.com` – Ramesh-X Jan 10 '19 at 05:11
dont think that works for subfolders if you have another .htaccess on them – Bruno Simoes Feb 02 '19 at 09:53
Works fine. Thanks – Ahsan Khan Nov 18 '19 at 07:37
`https://example.com` to `https://www.example.com` is also working fine with this code. thanks – Kiran Jan 20 '20 at 16:25

score 37 · Answer 2 · answered Jul 12 '14 at 09:27

37

Use this:

RewriteEngine on

# Force www: from http://stackoverflow.com/a/4958847/1078583
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Force SSL: From http://stackoverflow.com/q/24322035/
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE]

answered Jul 12 '14 at 09:27

zx81

38,175
8
76
97

Is there a reason for making the SSL redirect temporary instead of permanent? – Jabari Jul 10 '15 at 19:56
2

@Jabari Looks like I may have pasted these two pieces of code (see the URLs). But in general, 302s are recommended while testing, then when you're sure the redirect works, move to 301. – zx81 Jul 11 '15 at 00:37

Jasper Mulder · Answer 3 · 2019-11-23T08:49:51.500

10

No need for filling in a domain. This is forcing WWW and HTTPS in any case. This is dealing with subfolder as well.

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

edited Nov 23 '19 at 08:49

answered May 15 '19 at 11:56

Jasper Mulder

164
1
8

2

I think I prefer this one. – warmwhisky Nov 13 '19 at 07:47
Works perfectly and reliably. – Callum Kerr Jul 03 '20 at 17:12

score 3 · Answer 4 · answered Feb 14 '18 at 22:23

3

Sorry for bumping this topic but I just wanted to add a simple solution for search engine visitors.

RewriteEngine on
# Force WWW & SSL
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.stackoverflow.com/$1 [L,R=301]

answered Feb 14 '18 at 22:23

WebCraker

61
5

score 2 · Answer 5 · answered Sep 19 '18 at 14:42

I found a mod_rewrite solution that works well for both proxied and unproxied servers.

If you are using CloudFlare, AWS Elastic Load Balancing, Heroku, OpenShift or any other Cloud/PaaS solution and you are experiencing redirect loops with normal HTTPS redirects, try the following snippet instead.

RewriteEngine On

# If we receive a forwarded http request from a proxy...
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]

# ...or just a plain old http request directly from the client
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on

# Redirect to https version
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I have beat myself up for week trying to get SSL working correctly on host behind CloudFlare. Your code works beautifully... — Woody, Dec 14 '20 at 00:04

score 1 · Answer 6 · edited Jun 20 '20 at 09:12

1

9 Force www: is perfect thank you.

My server is Heart Internet and the force SSL for Heart is:

# All calls go to SSL
RewriteEngine On
RewriteCond %{ENV:HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

edited Jun 20 '20 at 09:12

Community

1
1

answered Feb 21 '17 at 09:54

user2135841

31
3

score 0 · Answer 7 · answered Jun 20 '20 at 12:06

0

I had the same problem and I used this to solve it. worked best.

RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L,NE]

answered Jun 20 '20 at 12:06

404notBrighton

51
1
1
8

Forcing SSL and WWW using .htaccess

7 Answers7

9 Force www: is perfect thank you.

Linked