CSP with SSL redirect via mod_rewrite

[Alex Zaworski]

Hi friends,

I use the following to redirect to HTTPS (I use GoDaddy’s ssl service, this is what they add by default):

<IfModule mod_rewrite.c>
  Options +FollowSymLinks
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_USER_AGENT} ^(.+)$
  RewriteCond %{SERVER_NAME} ^domain\.com$
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
  Header add Strict-Transport-Security "max-age=300"
</IfModule>

I also use a content security policy header. The CSP references ‘self’, but I’m having issues when new users navigate directly to domain.com (instead of https://domain.com). It seems like the CSP is evaluated before the redirect, and then everything refuses to load since ‘self’ refers to http://domain instead of https://domain. To ‘fix’ this I added the https:// variant of the domain to the CSP. That feels like the wrong way to go about doing things, is there something obvious I’ve missed?

[Anoop Gupta]

@alexzaworski,

You can try this code, It should be helpful.

<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^domain.com$
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security “max-age=300”
</IfModule>

Thanks
Anoop Gupta
https://www.zeemo.com.au/

[Elliejoshi]

Using the following code in your web.config file automatically redirects visitors to the HTTPS version of your site:

Thanks and Regards
Ellie Joshi
http://webchromite.com/

[Elliejoshi]

[Author]

Posts