Force HTTPS

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

If you have a proxy in front of your server performing TLS termination:

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Comments

  1. User Avatar
    Jan
    Permalink to comment#

    So far I was using this rule to force HTTPS

    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    

    Any pros/cons?

  2. User Avatar
    Marcel
    Permalink to comment#

    @Jan,

    It is even more secure to add that line, it prevents downgrade attacks, more information about this subject can be found on wikipedia:

    http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    And an article by Mozilla:
    https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

  3. User Avatar
    Jan
    Permalink to comment#

    Thank you Marcel!

    Due to the POODLE attack I’m now also disabling SSL and TLS 1.0, so I thought I’d share this.

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    

    via StackExchange

  4. User Avatar
    Josh
    Permalink to comment#

    Is there an apache configuration to access certain file types over https by default? Namely, images (jpg, png, gif), css, and js. I have HTTPS turned on, but any relative paths are referencing those assets insecurely over HTTP.

    What is the best way to redirect all asset paths to HTTPS without having to hard-code https://path.to/asset.css ?

Submit a Comment

Posting Code

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.

icon-anchoricon-closeicon-emailicon-linkicon-logo-staricon-menuicon-nav-guideicon-searchicon-staricon-tag