Forcing HTTP redirect to SSL

Overview

Converting HTTP to HTTPS resources can be accomplished in several ways. It goes without saying that you should setup and test your SSL certificate before performing any of the following methods.

Strict Transport Security

Modern browsers support a security standard called “HTTP Strict Transport Security“, or HSTS for short. HSTS sends a header with the URI response to indicate that future requests should use HTTPS.

To utilize HSTS, add the following line to a .htaccess in the document root of the domain/subdomain:

Header always set Strict-Transport-Security "max-age=63072000;"

The above example restricts mandatory SSL for the domain only. To extend this policy to subdomains as well, such as forum.example.com and blog.example.com, add “includeSubdomains”:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Downsides: first request if sent over HTTP will not be encrypted, requires browser compliance

Upsides: easy to implement, SSL can propagate to subdomains, directive is cached in browser

mod_rewrite Rewrite

By utilizing mod_rewrite, add the following to a .htaccess file in the document root of the domain/subdomain that you would like to redirect:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !^on$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]

Downsides: can be complex, does not extend to subdomains without a common parent directory, can create a redirect loop

Upsides: extremely flexible implementation

WordPress

WordPress creates absolute URIs. If WordPress is installed over http://, then all URIs will reflect http://. To convert generated URIs from http:// to https://, login to the WordPress administrative panel, go to Settings > General. Change both the WordPress Address and Site Address fields from http://… to https://… If not all links, such as old posts, have changed correctly, use a third-party plugin such as Really Simple SSL to update all post data.

WordPress SSL tunables

Leave a Reply