Redirecting http to https with htaccess

Once a site has been transitioned to the https protocol, it’s important to redirect all legacy traffic through this protocol, with a 301 “permanently moved” status code, so the change can propagate fully. Otherwise any site with a now-outdated a link to the http version will continue browsing that version, handily and unknowingly circumventing all the security that’s been put in place.

If you can’t modify the server configuration (which is usually the case on shared hosting environments like GoDaddy) the best way to do this is via htaccess.

We’ll set up a conditional to catch requests via the http protocol (so we’re not redirecting valid https requests). There are two ways we can do this:

  • Check the HTTPS environment variable
    The HTTPS environment variable is always set, even when the https protocol is not in use. It will be either on or off.
  • Check the port
    Traffic via http will be over port 80, https over port 443.

Because configuration varies from server to server, I’ve found it prudent to look for either:

## Check the HTTPS variable
RewriteCond %{HTTPS} off [OR]
## Check the port
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

It’s a best practice to set it first to 302, or “temporary redirect”, confirm everything works, then set it to 301.

If you’re configuring this on a WordPress site, be sure to prevent WordPress from overwriting your rewrite conditions and rules.