RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
If you have a proxy in front of your server performing TLS termination:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
So far I was using this rule to force HTTPS
Any pros/cons?
@Jan,
It is even more secure to add that line, it prevents downgrade attacks, more information about this subject can be found on wikipedia:
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
And an article by Mozilla:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
Thank you Marcel!
Due to the POODLE attack I’m now also disabling SSL and TLS 1.0, so I thought I’d share this.
via StackExchange
Is there an apache configuration to access certain file types over https by default? Namely, images (jpg, png, gif), css, and js. I have HTTPS turned on, but any relative paths are referencing those assets insecurely over HTTP.
What is the best way to redirect all asset paths to HTTPS without having to hard-code https://path.to/asset.css ?