We got rid of RECAPTCHA. We're officially de-googled! Learn More

How to Force HTTPS on Your Website (via .htaccess)

Why should I use HTTPS?

Put simply, regular old HTTP doesn't cut it anymore.

It's secure

Security is the most important function of using HTTPS over the regular HTTP.

When a computer connects to your webserver, the messages relayed are encrypted.

This means that the information shared between the visiting computer and webserver can't be read by people or malicious software. Any information transmitted between the two maintains its integrity.

This is a huge deal when you're transmitting any kind of data, especially sensitive data like social security numbers and credit card details.

gdpr padlock emblem

Even if a hacker were to break into the connection and somehow "listen in" on the communication between the server and computer, the hacker wouldn't be able to make out exactly what was being said between the computer's web browser and the website's server.

This isn't the case when your website only uses HTTP. Given the same situation with only HTTP, you can rest assured that whatever information the hacker received was easily readable; just hope it wasn't those three numbers on the back of your credit card.

Gives your website legitimacy

Using (or force redirecting the use of) HTTPS adds legitimacy to your website. Let's be real, would you rather input your information into a site that has been labeled as "secure" or "not secure?"

If your website doesn't use the HTTPS protocol, most browsers will make this very obvious to the end user. A lot of these same browsers will strongly encourage users to not visit a website considered "not secure" .

Naturally, if you're not using HTTPS, this might result in less people visiting your website.

Also, did you know that the use of HTTPS is one of the minimum requirements for developing and maintaining a progressive web app? Additionally, HTTPS is required to use functionalities such as Bluetooth.

SEO

Using the HTTPS protocol helps your website's SEO (Search Engine Optimization). Google has a habit of choosing webpages that use https for first page search results instead of sites that only use HTTP.

black search seo icon

If you still need to be convinced to use HTTPS, here's a simple and solid read!

Requirements

You'll need an SSL/TLS certificate. You can't have the HTTPS version of your website without a valid SSL/TLS certificate.

More than likely, you can get an SSL certificate directly through your webhosting provider. Most providers provide this service for extra cost or for free.

If you can't get a certificate through your webhost (or you want one for free) then you can use Let's Encrypt. Let's Encrypt is a nonprofit that provides SSL/TLS certificates to websites for free.

You should be aware that SSL (Secure Socket Layer) is dated encryption technology. It has been replaced with the standards set by TLS (Transport Layer Security). However, many places interchange the two; even when SSL is mentioned, TLS is what is implied and actually used.

Forcing HTTPS

Often just having the SSL/TLS certificate is not enough. The HTTPS version of your website won't necessarily be the one that is served to your website visitor.

Without a forced load or redirect of the HTTPS version, this secured version will only be able accessible (1) if that's how the link is written OR (2) if that's how your visitor types in the address to your website.

The problem with (1) is that it requires the link to include https://. If your website is listed on a search results page (otherwise abbreviated as SERP) with the http:// protocol, then the secure version won't load without a force or redirect.

The problem with (2) is that it solely relies on the user to access the secure version of your website. There's a lot of fault with that.

That's where forcing HTTPS steps in.

locked unlocked padlock with key

Forcing the use of HTTPS on your website ensures that all who visit your website use the secure version no matter how they might visit your website.

For example, if your visitor simply types in yourwebsite.com then they'll be directed to https://yourwebsite.com. Likewise, if someone clicks on a link to your website only using http:// what will load instead is https://.

Finding .htaccess

.htaccess is in the same folder as your website's public files. If you have a website control panel like cPanel installed, you have to enable the viewing of dot files.

Yes, the period in front of .htaccess is very important.

If you don't have an .htaccess file then you'll have to create one. Ensure that you place the created .htaccess file in the main directory of your website. How this is structured depends on your webhosting provider.

Typically, this main directory is named public_html or something similar. Alternatively, the directory can simply be the "/" directory.

Additionally, you'll want to make sure that your webhost/server is running Apache. Apache is pretty common so odds are that your server probably is, so you should be good.

Editing .htaccess

Copy and paste this code into your .htaccess file.

## BEGIN FORCE HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
## END FORCE HTTPS

If your .htaccess file already has RewriteEngine On then don't add it again; only copy the last two lines

What does it do?

This entire code snippet tells your webserver to serve the HTTPS version of your website.

Detailed code breakdown:

RewriteEngine On This allows us to give instructions to the Apache server via Rewriting (hence why it only needs to be in your .htaccess file once).

RewriteCond %{HTTPS} !=on This checks to see if the incoming connection is already under the HTTPS protocol. It makes no sense to force HTTPS if the connection is already there.

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] This simply forces the HTTPS version of whatever portion of your website the visitor's browser was requesting. The 301 redirect is a permanent redirect that also transfers page and domain authority. In this case you transferring page and domain authority from the HTTP to the HTTPS version.

Testing

You'll want to make sure everything works, and that nothing else on your site broke in the process.

Test your website on as many different devices and browsers as possible.

Also, make sure all your internal links work. This is known as checking for "broken" or "dead" links. There are a few helpful (and free!) tools for this.

And as always, stay safe out there!

Next Post