How to force all traffic to HTTPS

After you’ve enabled SSL for your website, you’ll probably want to redirect all traffic on your website to the https version of your site. There are multiple ways to do that. Let’s compare some commonly used ways.

Using script configuration

Some scripts (including Wordpress) have a setting which allows you to set your website URL. By changing this URL from http://example.com to https://example.com, the script will probably redirect visitors to the https version of your site. Even if your script does not redirect people, it’s still highly recommended to check if your script has a setting for the URL because it will prevent other problems with links on your page.

Using .htaccess

Probably the most common way to force traffic to https is by redirecting requests using .htaccess. The .htaccess is a simple text file simply called ‘.htaccess’ which contains additional settings passed to the web server to support some more complicated functionality. If you are using a script created by other people (including CMS like Wordpress), you can probably find a .htaccess file already in the htdocs folder of your website. If you don’t have a .htaccess file yet, you can create a file using the File Manager with the file name .htaccess. Using the File Manager is recommended, some systems (especially Windows) don’t work well with .htaccess files.

After you’ve found or created your .htaccess file, you can edit it in the File Manager or using any text editor (like Notepad). You need to add the following lines to the file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Using Cloudflare settings

If you’re using Cloudflare on your website, you can let Cloudflare enforce HTTPS for you. Simply login to Cloudflare’s website, go to the Crypto settings for your domain, and enable “Always use HTTPS”.

Final notes on forcing HTTPS

If your website doesn’t work anymore after applying any of these settings, there are a few common issues you should check for.

If your website does not display any content at all or shows a 500 - Internal Server Error and you’re using the .htaccess method, that means there is an error in your .htaccess file. Please make sure you copied the content exactly as shown above. If you’re sure it’s correct, you can try getting help in the forum. If you do, be sure to include the contents of your .htaccess file in the message.

If your website does show content but is missing styles, scripts or images, those files are probably linked to with http:// urls instead of https:// urls. Most browsers block requests to http:// content on https:// pages for security reasons. Check your script settings (if applicable) or update your pages to ensure only https:// urls are used on the page.

14 Likes

A post was split to a new topic: Https

A post was split to a new topic: .htaccess

3 posts were split to a new topic: Not loading correctly my website, giving error/ not secure connection…

A post was merged into an existing topic: Not loading correctly my website, giving error/ not secure connection…

A post was merged into an existing topic: Not loading correctly my website, giving error/ not secure connection…

I believe

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

is using the default AND condition

Wouldn’t this be better?

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https [OR]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"} 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

In this way, any of the conditions will cause the rewrite.

5 Likes

I don’t think so. If you use Cloudflare’s Flexible SSL, the second condition will always be false, so I think this code will then cause a redirect loop. The first and third conditions check for that. And if you don’t care about flexible SSL, you can just omit the first and third conditions entirely.

5 Likes

I believe domains/subdomains on CloudFlare do not need .htaccess https redirect.
Minimum of full mode plus correct CloudFlare settings will do the trick.
The redirect loop will then not happen

4 Likes

If you use Cloudflare, you can enable “Always use HTTPS” in Cloudflare’s setting. That removes the need for any .htaccess rules, and works perfectly with all SSL modes.

It also means that the HTTPS redirect is done by Cloudflare, not your website, so it should be faster (as Cloudflare is closer to your visitors than your website is), and save you a few hits on your account.

4 Likes

A post was split to a new topic: Website doesn’t work on HTTPS