How to Force Websites for loading HTTPS Version Using Htaccess?

website security

HTTPS is a topic that is increasingly becoming a hot-button issue, especially as Google says it is now a ranking factor in its algorithm, however small it may be.


The trouble with HTTPS is that many people who are not familiar with web hosting, Apache, and Linux servers are unable to properly implement it. One of the main deployment challenges I’ve seen is individuals struggling to find a good way to switch visitors from their website’s non-HTTPS implementations to the HTTPS update.

Let’s presume you have your website at https:/, for example. What if a person is arriving at http:/ Or just http:/ How do you guide everybody securely to the HTTPS source in a manner that is both quick and polite to the search engine (which are the same now that website speed is also a ranking factor)?

The response is to use your server’s htaccess file to switch using Apache. This will render everything much easier as it is handled at the bottom of the computer. Don’t use a WordPress plugin (if you’re running a WordPress site) for that, because if the plugin fails, then the whole redirect would fail, and on top of that I’m not a big fan of using plugins for simple things that can be hard-coded (if you don’t know what a htaccess file is, check out this website to clarify what a htaccess file is and how to use it).

This is what you want to place at the top of your htaccess file as far as the application itself goes:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R=301,L]

By using this application on your own blog, you will overwrite “” with your own domain name, which happens to be the case. And again, this function is before anything else at the top of your htaccess script. Another important thing to note is that if your domain has “www” in the URL, you’d want to make sure you add it, so that your code looks like this:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R=301,L]

This coding instructs the server to take someone entering the web to guide them to the correct HTTPS root if anything else is accessed. This is good because it prevents access to both your site’s non-HTTPS version, which prevents indexing in search engines. This application requires a 301 redirect to execute redirecting, which is usually the best way to redirect permanent changes because the web is on HTTPS instead of HTTP. If you use a cloud-based server, this variant may need to be used:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

I can’t tell you how many websites I’ve seen that go bad, but download this application and see if it fits for you. Clearly, I can’t guarantee how it’s going to work on your own website, but in my experience this was the best way to get all sites pushed into HTTPS. Even, if you’re wondering if this application functions or not if anyone wants to access an internal page’s non-HTTPS version, it does! Only on the HTTPS edition, it will guide them to the same tab.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.