By Cat


2010-11-03 00:14:20 8 Comments

I'm trying to redirect all insecure HTTP requests on my site (e.g. http://www.example.com) to HTTPS (https://www.example.com). I'm using PHP btw. Can I do this in .htaccess?

25 comments

@Bhaskara Arani 2019-07-17 11:24:17

If you want to do it from the tomcat server follow the below steps

In a standalone Apache Tomcat (8.5.x) HTTP Server, how can configure it so if a user types www.domain.com, they will be automatically forwarded to https(www.domain.com) site.

The 2 step method of including the following in your [Tomcat_base]/conf/web.xml before the closing tag

step 1: 
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

and setting the [Tomcat_base]/conf/server.xml connector settings:

step 2:
<Connector URIEncoding="utf-8" connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="[keystorelocation]" type="RSA" />
</SSLHostConfig>
</Connector>

Note: If you already did the https configuration and trying to redirect do step 1 only.

@Ehsan Sattari 2019-05-17 04:48:36

take this code to you .htaccess file Redirect HTTP to HTTPS automatically

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

@Gricey 2019-05-17 05:07:00

Hi, thanks for the answer, what does your answer add which other existing answers don't have?

@appsntech 2019-12-27 16:58:01

On the similar type of question. Can anyone help with below question ?stackoverflow.com/questions/59503217/…

@Husain Basrawala 2019-04-15 19:33:24

This redirects all the URLs to https and www

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTPS_HOST} !^www.example.com$ [NC,OR]
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

@aalesund 2019-03-20 08:32:53

 Redirect 301 / https://example.com/

(worked for me when none of the above answers worked)

Bonus:

ServerAlias www.example.com example.com

(fixed https://www.example.com not found)

@Intacto 2018-11-01 18:30:50

It works for me:

<IfModule mod_rewrite.c>
 RewriteEngine On
  RewriteCond %{HTTPS} !on
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

and for example, http://server/foo?email=someone%40example.com redirects normally without any issues. The file .htaccess located in the website root folder (for example named public_html). It is possible to use RewriteCond %{SERVER_PORT} !^443$ instead RewriteCond %{HTTPS} !on

@GiorgosK 2014-10-21 10:42:42

I found out that the best way for https and www on domain is

RewriteCond %{HTTPS} off 
RewriteCond %{HTTPS_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

@MrWhite 2018-10-22 13:16:30

This won't redirect http://www.example.com/... because the two conditions are implicitly AND'd. They should be OR'd instead, ie. include the OR flag on the first condition (and remember to escape the literal dots in the regex). But if you are implementing HSTS then you don't want to redirect to HTTPS and www in a single redirect, you should redirect to HTTPS first.

@Aaron Franke 2019-01-06 03:23:39

Where do I put this text?

@appsntech 2019-12-27 16:58:12

On the similar type of question. Can anyone help with below question ?stackoverflow.com/questions/59503217/…

@ScottyB 2018-07-06 22:31:52

If you're using an Amazon Web Services Elastic Load Balancer which accepts https traffic and routes it to your server(s) with http, the correct way to redirect all http traffic to https is described here: https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb

Use the X-Forwarded-Proto header (contains http or https) which is always included in http requests from the load balancer, as described here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

In the httpd.conf file:

<VirtualHost *:80>

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

</VirtualHost>

Or in your root .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

Bonus: it will not try to redirect http traffic on your local development machine.

@Oleg Apanovich 2018-07-03 20:36:43

I found a method to force all pages of my site redirect from http to analog of pages on https that work for me.

RewriteEngine On 
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

@ssc 2014-02-15 14:34:58

The Apache docs recommend against using a rewrite:

To redirect http URLs to https, do the following:

<VirtualHost *:80>
    ServerName www.example.com
    Redirect / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>

This snippet should go into main server configuration file, not into .htaccess as asked in the question.

This article might have come up only after the question was asked and answered, but seems to be the current way to go.

@Ben 2014-05-20 01:17:30

This should be the current answer. But what exactly goes in the "SSL configuration"? A full example would be really helpful.

@ssc 2014-05-20 06:17:50

@Ben: that's a different question which is extensively documented online; incidentally, I just added an almost full example yesterday: serverfault.com/q/597012/26210 which might give you an idea of what goes in the SSL configuration

@peter_the_oak 2015-02-21 20:10:58

This is a great hint. But at the Apache doc also mentions: "In the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead." Which is the case for me...

@Triynko 2015-04-23 07:19:50

I'm not sure about apache, but with IIS, the rewrite rule is insufficient. It will still serve insecure content in spite of the redirect, but only in special cases where the browser cached files before the rule was in place. The rewrite rule should end the request and redirect to https, but in the case of serving simple files the redirect is just ignored by the browser, especially if its already connected to the site and trying to load a secure resource on an insecure page. I'm looking for an IIS equivalent solution to the one proposed here.

@Robert 2016-02-10 09:34:51

This will fail if you try to access a subfolder like "example.com/subfolder" where the redirect will remove the slash after domain name -> "example.comsubfolder". Solution: Redirect parameters should be quoted: Redirect "/" "https://www.example.com/"

@user1844933 2016-09-03 12:05:20

@ssc Is it SEO friendly redirect? because in previous method we ll use [R=301]

@BeetleJuice 2016-09-15 03:26:59

@user1844933 If you use the permanent keyword, the effect is the same (the browser receives a 301 redirect). Eg: Redirect permanent "/" "https://example.com"

@Rainer Rillke 2017-02-04 15:20:08

Of course, this snippet, which goes into Apache config (frequently named httpd.conf, apache2.conf or one of its includes in conf.d) and not into .htaccess like the question is tagged with, only works if you are not operating behind an SSL-termination proxy.

@Saichovsky 2017-03-20 15:21:39

Can someone do this: Redirect "/" "https://%{HTTP_HOST}%{REQUEST_URI}"?

@oldboy 2017-08-23 20:31:13

which file is the "main server configuration file" and where is it located??

@Wand Maker 2018-07-17 06:40:59

What can I do if I don't have domain name allocated for my server, and I rely on IP address only. In other words, I don't have a way to specify ServerName. And it is not one server, but many servers - where customers can install our product which has embedded Apache webserver - but we want to redirect all HTTP to HTTPS

@dstonek 2018-10-05 22:42:00

@Whitecat In Centos 6 the file is located at /etc/httpd/conf/httpd.conf

@HappyDog 2019-01-03 10:45:56

A good answer, but I'm downvoting as the wrong answer to this question, which is explicitly tagged as .htaccess, and asks for a .htaccess solution.

@Aaron Franke 2019-01-06 03:21:59

Is there any URL-agnostic way to do this? So that I don't have to include the name of my site in the file?

@F. Scott Gale 2017-10-28 15:00:39

If you are in a situation where your cannot access the apache config directly for your site, which many hosted platforms are still restricted in this fashion, then I would actually recommend a two-step approach. The reason why Apache themselves document that you should use their configuration options first and foremost over the mod_rewrite for HTTP to HTTPS.

First, as mentioned above, you would setup your .htaccess mod_rewrite rule(s):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Then, in your PHP file(s) (you need to do this where ever it would be appropriate for your situation, some sites will funnel all requests through a single PHP file, others serve various pages depending on their needs and the request being made):

<?php if ($_SERVER['HTTPS'] != 'on') { exit(1); } ?>

The above needs to run BEFORE any code that could potentially expose secure data in an unsecured environment. Thus your site uses automatic redirection via HTACCESS and mod_rewrite, while your script(s) ensure no output is provided when not accessed through HTTPS.

I guess most people don't think like this, and thus Apache recommends that you don't use this method where possible. However, it just takes an extra check on the development end to ensure your user's data is secure. Hopefully this helps someone else who might have to look into using non-recommended methods due to restrictions on our hosting services end.

@SashaK 2017-02-06 21:53:55

Unless you need mod_rewrite for other things, using Apache core IF directive is cleaner & faster:

<If "%{HTTPS} == 'off'">
Redirect permanent / https://yoursite.com/
</If>

You can add more conditions to the IF directive, such as ensure a single canonical domain without the www prefix:

<If "req('Host') != 'myonetruesite.com' || %{HTTPS} == 'off'">
Redirect permanent / https://myonetruesite.com/
</If>

There's a lot of familiarity inertia in using mod_rewrite for everything, but see if this works for you.

More info: https://httpd.apache.org/docs/2.4/mod/core.html#if

To see it in action (try without www. or https://, or with .net instead of .com): https://nohodental.com/ (a site I'm working on).

@Roshan Padole 2016-12-17 09:23:49

Through .htaccess This will help.

RewriteEngine On


RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Also, Refer this for More Detail. How To Redirect Http To Https?

@Evochrome 2017-05-11 15:10:41

This is the to go solution for anyone who gets a "Too many redirects error" and can't change the allowOverride property.

@maikel 2016-09-11 09:14:47

The best solution depends on your requirements. This is a summary of previously posted answers with some context added.

If you work with the Apache web server and can change its configuration, follow the Apache documentation:

<VirtualHost *:80>
    ServerName www.example.com
    Redirect "/" "https://www.example.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>

But you also asked if you can do it in a .htaccess file. In that case you can use Apache's RewriteEngine:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]

If everything is working fine and you want browsers to remember this redirect, you can declare it as permanent by changing the last line to:

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

But be careful if you may change your mind on this redirect. Browsers remember it for a very long time and won't check if it changed.

You may not need the first line RewriteEngine On depending on the webserver configuration.

If you look for a PHP solution, look at the $_SERVER array and the header function:

if (!$_SERVER['HTTPS']) {
    header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); 
} 

@Aaron Franke 2019-01-06 03:26:59

It seems that Apache documentation recommends against the Rewrite route. What about with Redirect? What else can go in a .htaccess file?

@maikel 2019-01-07 04:15:19

Yes, Redirect is preferred and can be used in .htaccess. But you cannot add the condition to only redirect http traffic to https. It redirects https as well -> infinite redirect loop. I listed it in the VirtualHost directive used for http (port 80) above, .htaccess doesn't support that directive and therefore Redirect can not be used here.

@starkeen 2016-07-02 13:46:39

To redirect all http requests to https , you can use :

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R]

If mod-rewrite isn't enabled and you are on apache 2.4, you can also use a Redirect inside if directive to redirect http requests to https .

Apache 2.4.

<if "%{HTTPS} !~ /on/">
Redirect / https://www.example.com/
</if>

@OpenWebWar 2016-03-31 13:26:41

Using the following code in your .htaccess file automatically redirects visitors to the HTTPS version of your site:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you have an existing .htaccess file:

Do not duplicate RewriteEngine On.

Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.

@Aaron Franke 2019-01-06 03:27:13

What do L and R mean?

@Timothy Nwanwene 2015-04-29 23:20:09

This is the html redirect approach it works but not the best.

 <meta http-equiv="Refresh" content="0;URL=https://www.example.com" />

PHP approach

<?php
function redirectTohttps() {
    if ($_SERVER['HTTPS']!="on") {
        $redirect= "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
        header("Location:$redirect"); 
    } 
}
?>

.htaccess approch

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

copied from: www.letuslook.org

@Aaron Franke 2019-01-07 20:23:03

Where does .htaccess go? Also, that link is dead.

@AnarchyOutlaw 2016-02-22 16:22:20

This is the proper method of redirecting HTTP to HTTPS using .htaccess according to GoDaddy.com. The first line of code is self-explanatory. The second line of code checks to see if HTTPS is off, and if so it redirects HTTP to HTTPS by running the third line of code, otherwise the third line of code is ignored.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

https://www.godaddy.com/help/redirect-http-to-https-automatically-8828

@BertC 2015-07-17 11:41:20

A different edge to this problem is when a Load Balancer comes into play.

The situation is as follows: - Traffic from browser to Load Balancer, and back, is (should be) HTTPS - Traffic between Load Balancer and actual WebServer is HTTP.

So, all server request variables in PHP or Apache show that the connection is just HTTP. And the HTTP and HTTPS directories on the Server are the same.

The RewriteCondition in the approved answer does not work. It gives either a loop or it just doesn't work.

Question is: How to get this working on a Load Balancer.

(Or is the Load Balancer configured wrong. Which is what I'm hoping for because then I can move the problem over to the WebHosting company :-) )

@marc82ch 2015-08-07 08:25:24

The redirection would just have to happen on the load balancer instead. Depending on the type of load balancer, this should be possible in the config, or it is an apache instance itself, where the accepted answer would work. Just don't do it on the single nodes.

@Reese Moore 2010-11-03 00:16:47

Update: Although this answer has been accepted a few years ago, note that its approach is now recommended against by the Apache documentation. Use a Redirect instead. See this answer.


RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Source

@Bruno 2010-11-03 13:57:12

@Cat, as I was saying in my answer/comments, if you're trying to "redirect all insecure HTTP [...] to HTTPS", this approach will not make those requests secure, it will just make the browser make them twice, once insecure and once secure.

@Reese Moore 2013-10-13 00:18:14

What you should really be doing is using HSTS in concert with this.

@NickG 2014-06-10 09:55:36

@Bruno but typically (eg on a login page) the first load of the page doesn't send or receive any sensitive data to this approach is still fine as the user will be sent to HTTPS before they submit their username/password?

@Bruno 2014-06-10 11:03:12

@NickG, sure, when the user types the initial request in the location bar, but having such a redirection in place also applies to http:// links to your own site from your https:// pages, which are a bug then hard to detect. The problem also applies to API clients.

@Samarth Agarwal 2014-08-19 11:44:34

If the browser makes the same requests twice, does this mean that the website will be slow in opening? I used this code and my site opens so slow.

@psmears 2015-03-30 19:26:21

This may be a bug in my version of apache (2.4.6 as packaged in Centos 7), but this has issues for me on certain URLs. For example, http://server/foo?email=someone%40example.com redirects to https://server/foo?email=someone%2540example.com i.e. the "@" sign gets URL-quoted twice. Using the method in @ssc's answer does not have this issue.

@StephenG 2015-07-22 19:51:38

It's sad that @ReeseMoore, an intelligent man, is most recognized on StackOverflow for something that a highly intelligent seahorse could Google

@William Entriken 2015-11-06 04:17:57

This answer does not have [L] which is required in some instances to avoid combining with other redirects you may have active on your site.

@Clifton Labrum 2016-02-09 21:53:03

Any particular reason you used !on instead of off? :)

@Parag 2016-06-01 03:43:34

<VirtualHost *:80> ServerName www.example.com Redirect "/" "example.com" </VirtualHost> worked. from the lilnk you had provided thanks

@FredTheWebGuy 2016-08-07 23:48:46

Wrong answer. It will only redirect the base url, not urls in subfolders. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] is the correct answer

@Félix Gagnon-Grenier 2017-06-23 17:45:37

@StephenG Condescension aside, what do you think is the top result when googling? Yes, you got it, this very answer.

@StephenG 2017-06-23 17:59:55

@FélixGagnon-Grenier I'm also a good friend of Reese's, just giving him some crap :-)

@Félix Gagnon-Grenier 2017-06-23 18:11:18

Oh, I see. Well, I'm always for friendly crap ;)

@gavin 2017-08-10 17:40:21

Hi, I have added this in, but having since taken it out it still appears to be working, is it cached? Please help I can't turn it off!

@Adam 2018-08-23 11:30:57

They don't necessarily recommend against it: In the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead.

@Vadim Anisimov 2018-10-30 09:23:57

The answer doesn't mention one thing - any code for redirection has to be placed right at the beginning of your .htaccess file, BEFORE anything else, if you want all the pages be redirected to https.

@Intacto 2018-11-01 18:18:34

I use this: RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] and it does not have issues with server/foo?email=someone%40example.com

@Bhavin 2019-01-12 12:46:28

It will only redirect the Base URL, not URLs in all other subfolders. I think stackoverflow.com/a/26484741/4952944 this is more relavent answer.

@Jared Eddy 2019-11-06 23:49:34

This answer should be updated to include the comment by @Adam as that's directly from the apache documentation. So unless you have full control of your server which most people don't you would still use this method.

@appsntech 2019-12-28 06:49:49

anyone help me with below please ? stackoverflow.com/questions/59503217/… @ReeseMoore Can you please help me on this ?

@Waqas 2015-08-21 22:23:39

Do everything that is explained above for redirection. Just add "HTTP Strict Transport Security" to your header. This will avoid man in the middle attack.

Edit your apache configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:

# Optionally load the headers module:
LoadModule headers_module modules/mod_headers.so

<VirtualHost 67.89.123.45:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

@David 2014-12-29 23:05:37

I'd recommend with 301 redirect:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

@billynoah 2015-12-22 07:24:07

thanks, this works for me, the accepted answer does not.. probably due to lack of [L]

@FredTheWebGuy 2016-08-07 23:47:28

Yep. This is the correct answer since it also routes all urls in subfolders, too

@CodyBugstein 2017-02-03 14:09:20

Is this at the top level of the htaccess file?

@Daan van den Bergh 2017-04-06 09:27:05

@CodyBugstein That's where I always place it, and it always works.

@Vadim Anisimov 2018-10-30 09:23:02

All answers lack one thing - any code for redirection has to be placed right at the beginning of your .htaccess file, BEFORE anything else, if you want all the pages be redirected to https.

@Aaron Franke 2019-01-06 03:24:13

What does the R and L mean?

@Cory 2014-11-21 08:37:25

I like this method of redirecting from http to https. Because I don't need to edit it for each site.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

@Aaron Franke 2019-01-06 03:23:26

Where do I put this text?

@Sourabh 2014-09-28 15:44:39

Add the following code to the .htaccess file:

Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^ https://[your domain name]%{REQUEST_URI} [R,L]

Where [your domain name] is your website's domain name.

You can also redirect specific folders off of your domain name by replacing the last line of the code above with:

RewriteRule ^ https://[your domain name]/[directory name]%{REQUEST_URI} [R,L]

@Aaron Franke 2019-01-06 03:27:26

What do L and R mean?

@Bruno 2010-11-03 00:36:51

As I was saying in this question, I'd suggest you avoid redirecting all HTTP requests to their HTTPS equivalent blindly, as it may cause you a false impression of security. Instead, you should probably redirect the "root" of your HTTP site to the root of your HTTPS site and link from there, only to HTTPS.

The problem is that if some link or form on the HTTPS site makes the client send a request to the HTTP site, its content will be visible, before the redirection.

For example, if one of your pages served over HTTPS has a form that says <form action="http://example.com/doSomething"> and sends some data that shouldn't be sent in clear, the browser will first send the full request (including entity, if it's a POST) to the HTTP site first. The redirection will be sent immediately to the browser and, since a large number of users disable or ignore the warnings, it's likely to be ignored.

Of course, the mistake of providing the links that should be to the HTTPS site but that end up being for the HTTP site may cause problems as soon as you get something listening on the HTTP port on the same IP address as your HTTPS site. However, I think keeping the two sites as a "mirror" only increases the chances of making mistakes, as you may tend to make the assumption that it will auto-correct itself by redirecting the user to HTTPS, whereas it's often too late. (There were similar discussions in this question.)

@Derek Litz 2013-04-25 15:36:48

When making the decision to serve an entire site as HTTPS, this sort of redirection makes sense. I don't want a user to get a 403 because they specified http for their landing page. I do agree if someone DOES specify http in a link and deploys it to production that IS bad. It SHOULD be caught during testing, even with the redirection in place. I don't like the "could" argument because this "could" happen without the redirection in place. The symptoms are the same when testing in a secure browser, except after confirming to send in the clear it redirects instead of receiving a 403.

@Daniel Lubarov 2014-01-27 21:52:57

Yeah, I see the benefit of failing hard if someone mistakenly puts http in a form action, but being lenient with typed-in URLs seems more important in most cases.

@Bruno 2014-01-27 22:06:16

@Daniel, I agree it's useful to be lenient when users type in the URL. I'd say it's one of the cases where it's better to have this feature off during development/testing but turn it on on production (or in the last stages of development/testing).

@Muhammad Umer 2015-01-18 03:18:58

why not do http to https at dns.

@Bruno 2015-01-18 10:32:24

@MuhammadUmer, because this has nothing to do with DNS. They'd be using the same host name in general, but even with a different host name, you'd still need to change protocol and port.

@Muhammad Umer 2015-01-18 19:21:16

ok so there is no way to convert http to https with cname/aaa/etc.

@jinzai 2016-09-14 15:34:14

It does have to do with DNS when subdomains and certificates are involved, however. When you fake subdomains by rewriting URLS instead of using DNS records, especially with normal certificates involved, you get certificate errors in the browser. There are now certificates that apply to both the domain and subdomains, but -- the user typo loophole is exactly what hackers are looking for in the first place. Poking holes in security is never a good idea, not matter how awesome your server code is.

@vcsjones 2010-11-03 00:16:12

If you are using Apache, mod_rewrite is the easiest solution, and has a lot of documentation online how to do that. For example: http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html

Related Questions

Sponsored Content

8 Answered Questions

[SOLVED] How are parameters sent in an HTTP POST request?

29 Answered Questions

[SOLVED] How do I make a redirect in PHP?

  • 2009-04-20 14:13:22
  • Sam
  • 2747143 View
  • 1210 Score
  • 29 Answer
  • Tags:   php redirect

32 Answered Questions

[SOLVED] How to manage a redirect request after a jQuery Ajax call

11 Answered Questions

28 Answered Questions

[SOLVED] How can I prevent SQL injection in PHP?

20 Answered Questions

[SOLVED] HTTP GET with request body

  • 2009-06-10 20:47:24
  • Evert
  • 1016009 View
  • 1956 Score
  • 20 Answer
  • Tags:   rest http http-get

14 Answered Questions

[SOLVED] htaccess redirect to https://www

58 Answered Questions

[SOLVED] How do I redirect to another webpage?

26 Answered Questions

[SOLVED] How do we control web page caching, across all browsers?

8 Answered Questions

[SOLVED] REST HTTP status codes for failed validation or invalid duplicate

Sponsored Content