How to Force HTTPS Using .htaccess (Updated 2022)
After installing an SSL certificate, your website is available over HTTP and HTTPS. However, it’s better to use only the latter because it encrypts and secures your website’s data. While Hostinger allows users to configure this setting in just one click, you can also use the .htaccess file to force HTTPS connection. This tutorial will show you how.
Download eBook: Speed Up Your Website. 8 Practical Tips That Work
Forcing HTTPS on All Traffic
One of the many functions you can perform via .htaccess is the 301 redirects, which permanently redirects an old URL to a new one. You can activate the feature to force HTTPS on all incoming traffic by following these steps:
- Go to File Manager in your hosting panel and open .htaccess inside the public_html folder. If you can’t locate it, make sure to create or unhide it.
- Scroll down to find RewriteEngine On and insert the following lines of code below it:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - Save the changes.
Important! Make sure that the line RewriteEngine On is not repeated twice. In case the line already exists, simply copy the rest of the code without it.
Forcing HTTPS on a Specific Domain
Let’s say that you have two domains: http://yourdomain1.com and http://yourdomain2.com. Both domains access the same website, but you only want the first one to be redirected to the HTTPS version. In this case, you need to use the following code:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain1.com [NC]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Make sure to replace yourdomain1 with the actual domain you’re trying to force HTTPS on.
Forcing HTTPS on a Specific Folder
The .htaccess file can also be used to force HTTPS on specific folders. However, the file should be placed in the folder that will have the HTTPS connection.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(folder1|folder2|folder3) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Make sure to change the folder references to the actual directory names.
After making the changes, clear your browser’s cache and try to connect to your site via HTTP. If everything was added correctly, the browser will redirect you to the HTTPS version.
Conclusion
Congratulations! you have successfully edited your .htaccess file and redirected all HTTP traffic to HTTPS, the safe version of your website. Depending on the platform where you developed your website, there could be alternative methods to enable this feature. For example, you can configure your WordPress or PrestaShop site to work with HTTPS using plugins.
If you have any tips, tricks, or suggestions that you want to share, we are looking forward to seeing them in the comments!
Suggested Reading
Do you want to know every single reason why you should redirect all HTTP traffic to HTTPS? Check out our guide on HTTP vs HTTP.
Was this tutorial helpful?
Edvinas is a professional mentor and trainer of customer support agents. When he's not teaching the secrets of providing exceptional service, he likes to travel the world and play basketball.
Comments
April 13 2017
I have problem, for me it doesnt work
April 13 2017
Hello Adnan, Do you get any errors? Are you following all steps carefully?
April 13 2017
i write this in htaccess file, is it correct?
RewriteCond %{HTTP_HOST} !^www.mywebsite.com$ [NC] RewriteRule ^(.*)$ http://www.mywebiste.com/$1 [L,R=301]RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]July 23 2017
Hi I cant seem to really make it work. can you please mail me the exact code i should insert in the .htaccess file for my website. that would be a great help my website "cryptofitnessclub.com"
January 25 2018
I tried but no success. Here is what I get in URL after adding code: http://reservationexcursions.me/wp-login.php?redirect_to=http%3A%2F%2Freservationexcursions.me%2Fwp-admin%2F&reauth=1 I added like this at the end of .htaccess : RewriteCond %{HTTP_HOST} ^reservationexcursions\.me [NC] RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] Can you help?
February 15 2018
Hello, Alex. Try removing the lines that you added and use this code instead: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Keep in mind that you do not need to change anything. SSL should start forcing immediately after adding it. Alternatively, you can reach the same result in WordPress with the help of plugins, such as Really Simple SSL.
July 04 2018
Thanks to this tut, my website is now secure!
July 21 2019
Thank you! This is the one I needed.
January 22 2020
thanks, it apparently works!
January 25 2020
Works like a charm! Thanks
October 01 2020
can you add a code for websites that use www. ?
November 18 2020
Hey there shahbaaz. You can use this code here:
RewriteEngine on RewriteCond %{HTTPS} off RewriteCond %{HTTP_HOST} ^www\. [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Let me know how it goes!October 08 2020
thanks it's working
November 18 2020
Happy to help Vishal.
October 21 2020
I had an issue with safari ios, not auto directing my site HTTPS despite me have force change set on in my settings. This has seemed to resolved my problems. many thanks
February 02 2021
Happy it worked out!
November 06 2020
Hi, Thanks for your post. I have an issue with my website. While it does work for some urls (http>https with the above replacement code in the htaccess file), there are still some urls that are left as http and don't work properly (redirection to the home page by default). Why doesn't it apply to all url on the website? Thanks a lot!
February 02 2021
Hi there! Try adding this code to your .htaccess file:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Header always set Content-Security-Policy: upgrade-insecure-requestsNovember 21 2020
A website without SSL certificate is opening, and when opening a website with SSL certificate does not open, please suggest a solution.
February 09 2021
Hi there! I'd suggest to start by reinstalling your SSL. Another useful thing to do would be testing your SSL over here - this will give you insight into whether your SSL is working well. If you have any issues with it and after reinstalling it, you're still getting issues, it's best to contact your host :)
November 28 2020
hi how can redirect to www address: enter user : http://www.domain.com/any_address/ redirect : https://www.domain.com/any_address/ just my home page domain right work (all enter domain redirect to https://www ) but dimain.com/any_address not work thanks
February 09 2021
Hi there! If you're using Wordpress, you'd need to make sure to change the URL in your database to
https://wwwas well. That will rewrite all of your links :)November 30 2020
hey buddy it work but it did not work on one page I have 15 pages n my website it works for all of these but on contact us it didn't wok RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://itforsme.in/$1 [R,L]
February 09 2021
Hi there! Try adding this code to the top of your .htaccess file:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Then to avoid mixed content on your website, I'd suggest adding this line as well:Header always set Content-Security-Policy: upgrade-insecure-requestsJanuary 27 2021
Thanks for the Tutorial. This actually worked perfectly for me.
May 05 2021
its work 100% thank you
May 31 2021
Thank you very much! You very specific instructions were very helpful!
August 05 2021
working but, when i open my post link ,, its showing error 401. Only homepage is working. Any help??
September 17 2021
Hi Vishal! In this case, please check with our Customer Success team - they'll be happy to investigate your case further :)
September 14 2021
Thank you so much for hostinger. These instructions were very helpful for me!
October 01 2021
${HTTPS} is simply not defined in my server and so all the above stuff is not working
October 05 2021
Hi there, if you have a private server, I'd suggest adding this snippet to your Apache config files:
RewriteEngine On RewriteCond %{SERVER_PORT} !443 RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]You can check out more here :)October 06 2021
I have a website with complex re-write on engine, when you click on the link it goes to https. However, when google index, it index occasionally http as well. my question what can I do to stop google from indexing non-secure pages? site:ecommercelocal.com.au/ -inurl:https I still get non secure. This is what I have for base .htaccess file (I used bottom code in the .htaccess file to have SEO url from: www.ecommercelocal.com.au/activities-for-men/nsw/S_NSW.php to look like below: www.ecommercelocal.com.au/activities-for-men/liverpol-nsw) RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] Header always set Content-Security-Policy "upgrade-insecure-requests;" RewriteEngine On RewriteCond %{HTTP_HOST} ^mail\. RewriteRule . - [F,L] RewriteEngine On RewriteRule ^([^/]+)/([^/]+)-([^/]+)/?$ /$1/$3/S_NSW.php?p=$2 [L,NC,QSA,NE] RewriteRule ^([^/]+)/([^/]+)-([^/]+)/([^/]+)/?$ /$1/$3/S_NSW.php?p=$2&pi=$4 [L,NC,QSA,NE] I also have the following .htacess file in the sub folder: RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] RewriteRule ^([a-zA-Z0-9_-]+)$ S_NSW.php?p=$1 RewriteRule ^([a-zA-Z0-9_-]+)/$ S_NSW.php?p=$1 RewriteRule ^([a-zA-Z0-9_-]+)/([0-9]+)/$ S_NSW.php?p=$1&pi=$2 [NC,L] RewriteRule ^nsw/([a-zA-Z0-9_-]+)/([0-9]+)/$ S_NSW.php?p=$1&pi=$2 [NC,L] RewriteRule ^([a-zA-Z0-9_-]+)-^nsw/([0-9]+)/$ S_NSW.php?p=$1&pi=$2 [NC,L]
October 12 2021
Hi, try disabling the current .htaccess files and using this code instead:
Header always set Content-Security-Policy: upgrade-insecure-requests RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Then to create the redirect, make sure to add this:Redirect 301 /activities-for-men/nsw/S_NSW.php https://www.ecommercelocal.com.au/activities-for-men/liverpol-nswOctober 11 2021
Hello, Inside the .htaccess I have the following code: RewriteEngine On RewriteRule ^ index.php [L] I am changing it to: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] After this change only the main page works correctly, all the other pages fail with error 404, what would be the issue?
October 12 2021
Hi Jorge, what CMS are you using? I'd suggest to double-check the URL structure for your links. Additionally, you might want to temporarily disable the other code inside of your .htaccess file for testing. Keep us updated how it goes!
January 15 2022
How can Force HTTPS by SSH , I am using apache2 and ubuntu 20.4
January 18 2022
Hi Bassam, you can create the exact same .htaccess file inside of your VPS through SSH. You'll need to navigate to your website's public_html folder and create an .htaccess file inside of it. Alternatively, you can create the redirection for Apache using virtual host - you can find the file inside directory
/etc/apache2/sites-availablefor Ubuntu, then follow this guide :)February 05 2022
One thing you can cover in this article which will help lakhs of your customer. 1. What to choose when you install wordpress with your auto installer? http or https (if you use SSL/if you dont use SSL) What is good overall?
February 08 2022
Hi Amit, that's a very good point! If you have setup SSL prior to installing WordPress, it's best to choose HTTPS. However, if you have not setup SSL prior and try to install WordPress with HTTPS, the new website will not work, so for such a case, it's best to install on HTTP, then switch to HTTPS after SSL is installed :)