How do I force all connections to my website to use SSL?

This page is showing a generic answer.
To see a more detailed answer customized for you, type your domain name here:

If you have an SSL certificate for www.example.com, and you have a website that requires a username and password to access any pages on the site, you may wish to make sure that all connections to your site always use SSL.

On this page:

How do I force SSL connections for all pages?

Be sure your site has an SSL certificate before trying this.

Before you try anything below, verify that your site works when you view it in a browser using https:// at the beginning of the URL, like https://www.example.com/. If it doesn’t work like that, it won’t work if you force it using these instructions, either.

See our overview page explaining how to get started with SSL if you need it.

If you’re using WordPress, you should first login to the WordPress dashboard, click Settings > General, and change both the “WordPress Address (URL)” and “Site Address (URL)” so that they begin with https:// (that is, add an s after “http” and before the colon). That will make WordPress “prefer” SSL. You can then use either the Really Simple SSL or WP Force SSL plugin to ensure that every visitor sees only SSL pages.

If you’re not using WordPress, or you want to do this manually without any plugins, add a .htaccess file to the top level of your website containing these three lines:

This is a generic example.

Enter your domain name at the top of the page to see the exact lines to use for your Tiger Technologies website.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://www.example.com%{REQUEST_URI} [redirect=302,last]

With those lines in a .htaccess file, any requests starting with “http://” will be redirected to secure requests starting with “https://”.

The “redirect=302” tells search engines that this change is “temporary”, which is safest if you think you may switch back to non-SSL in the future. If you want search engines to permanently show only SSL links for your site (which forces you to use SSL forever to keep search engine links working), you can use “redirect=301” instead, like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://www.example.com%{REQUEST_URI} [redirect=301,last]

If you have trouble adding these lines yourself, we can set this up for you if you contact us and ask.

Is there an easier way to do this for only the WordPress dashboard?

If you use WordPress, there’s a way to make WordPress force SSL connections for the dashboard (only) if you’re having trouble making the whole site use SSL. You’d add this to your “wp-config.php” file, before the line that says “That's all, stop editing”:

define('FORCE_SSL_ADMIN', true);

The WordPress Administration Over SSL page has more details about “FORCE_SSL_ADMIN”.

Can I force just a single page to use SSL?

In theory, you can restrict these kinds of redirects to certain URLs if that’s appropriate. For example, this combination only redirects insecure pages to links beginning with “http://www.example.com/checkout”:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^checkout https://www.example.com%{REQUEST_URI} [last]

However, if it’s only a single page you care about, it’s usually easier to just make sure you’ve fixed all the links to this page to correctly point to the “https” version of the page in the first place.

For example, if you have a “checkout” or “cart” page on your site, make sure that all your links to that page begin with https:// in the first place. If you do this, you won’t need to force it using RewriteRules.

Should I do things differently if I have a password protected directory?

If you’re trying to force SSL for a password protected directory, you might want to do things a different way than the “RewriteRule” method described above.

The reason is that if you use “RewriteRule”, it redirects visitors to the SSL version of the page only after it’s already asked for the password insecurely.

The recommended way to make this secure is to use these two lines in a .htaccess file inside the password protected directory instead:

SSLRequireSSL
ErrorDocument 403 https://www.example.com/directory/

(Be sure to replace “directory” with the actual URL of the protected directory.)

This tip works because the “SSLRequireSSL” command forces the Apache Web server to generate a 403 error instead of requesting a password if the page is accessed without SSL. The second “ErrorDocument 403” line forces the error to be handled as a redirect to the secure “https” URL you specify.

You could limit this to an individual file using FilesMatch, like this:

<FilesMatch wp-login.php>
  SSLRequireSSL
  ErrorDocument 403 https://www.example.com/wp-login.php
</FilesMatch>

How can I prevent search engines from indexing SSL versions of my pages?

Some people want to do the opposite of all this: prevent search engines from discovering and indexing SSL links to their pages.

To do this, add this line to your site’s .htaccess file:

Header set X-Robots-Tag noindex env=HTTPS

This Header set command causes the Apache Web server to send an extra “X-Robots-Tag: noindex” header for all SSL requests, preventing search engines like Google from indexing these URLs.

What about “HSTS”?

An new Internet standard called “HSTS” (HTTP Strict Transport Security) offers a different way to do the same thing, both for the current request and for future requests to the same hostname.

The syntax to do this in a .htaccess file is:

Header set Strict-Transport-Security "max-age=500"
Header append Strict-Transport-Security includeSubDomains