Redirecting HTTP visitors to HTTPS

Rationale

HTTPS is gradually superseding HTTP as the chosen method of accessing websites.  The latest versions of Google’s “Chrome” browser, by default, warn the user that they are accessing an “insecure” website if using the unencrypted HTTP.  As of this writing, the pre-beta version of Mozilla’s “Firefox” browser (Firefox Nightly) includes an option for the user to enable the same behaviour.

This means that, even if your site is not an e-commerce website, site visitors may be put off using it.  The answer is to install an SSL/TLS Certificate, signed by a Certificate Authority, on your web server, enabling encryption of all data exchanged between your web server and the web browser, which will then display the “HTTPS://” method in green in the address bar.

However, in certain circumstances, such as the presence of old Google links or outdated links from other sites, your server may continue to receive both HTTP and HTTPS requests, even after it is set up to serve content via HTTPS.  This may also affect the search engine ranking of your website.  In this case, you must redirect HTTP to HTTPS.  The generally recommended way to do this is via the .htaccess file, an auxiliary configuration file for the Apache web server.

 

Location of file

.htaccess is a per-directory file, and controls the configuration of all web pages held at the same directory level or below.  Placing a .htaccess file at the document root level will affect all web content in the site.  However, if there is a .htaccess file in a lower directory, then its directives may override those held in the root level file, if they conflict, for web content at or below that lower level.

A simple example relevant to some cPanel setups is as follows.  Say your document root has been set to:

 

/home/somesite/public_html/

 

Then a .htaccess file placed in the above directory would govern redirects and other settings for all of the website.  In many cases, if you list the files in the document root directory, you will find a .htaccess file already there (you must include hidden files in your listing, such as with the command “ls -la” in Linux).

If you have an existing .htaccess file that you intend to change, it is always best to make a backup copy before beginning your editing.  If the results of your configuration change is not as expected, then you can restore things to their previous state with the backup copy.

 

Directives providing HTTP to HTTPS redirection

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^(www\.)?somesite\.com
RewriteRule ^(.*)$ https://www.somesite.com/$1 [R=301,L]

 

The above Apache configuration code first checks the port number to which the request was directed and then checks that the URL matches the domain for which you intend redirects to be implemented.  Following that, it prefixes the remainder of the original URL with your preferred URL scheme and host name or domain name, and applies the Status Code flag R=301, which will tell browsers and search engines that the new URL can be cached and given priority over the old URL.  If the R-flag value were left blank in this code, Apache would use a Status Code of 302, a temporary redirect would be indicated, and you could expect continued requests via the old, unsecured HTTP scheme.

 

Final testing and remarks

Once the above stanza has been inserted into .htaccess and the file saved, the Apache web server will read it automatically and implement the changes.  You should then open up a browser, clear its cache and try to load up the website via HTTP unsecured.  The expected result is that you are redirected to loading the website via HTTPS.  Because a Status Code of 301 (permanent redirect) has been applied, search engines will now drop their references to the HTTP URL and the HTTPS URL will remain as the given link to your site.  In particular, Google now ranks HTTPS URLs above otherwise identical HTTP URLs and, as mentioned at the start of this article, it may benefit your visitor retention to have the unsecured HTTP URL removed in this way from the search engine listings.