How to force https on Simple Hosting using .htaccess

Once you have installed an SSL certificate on your Simple Hosting instance, you can increase the security of your site even more by forcing connections to happen over https.

This page explains how to do so using Apache's .htaccess file to redirect http:// to https://.

PHP/MySQL instances

Forcing the use of HTTPS can be done by creating an .htaccess with the following directives:

RewriteEngine on
RewriteCond %{REQUEST_SCHEME} =http
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The .htaccess file should be placed in the htdocs/ directory of the vhost where you want to force https.

Other instance families

For Node.js, Python, or Ruby instances, you can query the X-Forwarded-Proto request header to see which protocol the request came from ('http' or 'https'), and then redirect the request or rewrite the URL within your code to use https.

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Read more: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

On a PHP instance, you can include the HSTS response header by adding the following line to your .htaccess file:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

See also

Last modified: 04/19/2016 at 20:04 by Richard M. (Gandi)