How do I make sure that all connections to my Web site use SSL?

This page is showing a generic answer.
To see a more detailed answer customized for you, type your domain name here:

If you have a dedicated SSL certificate for www.example.com, and you have a Web site that requires a username and password to access any pages on the site, you may wish to make sure that all connections to your site always use SSL.

On this page:

What are the drawbacks of forcing SSL connections?

You shouldn’t do this unless you absolutely need to make every single connection secure. First of all, it makes your pages load more slowly. Also, some search engines will not index secure Web pages, so this may harm your search engine rankings.

Instead, the usual way to do this is to change your site slightly, making certain links on your pages start with https:// instead of “http://”. For example, if you have a link to a “Checkout” page that accepts credit card numbers, you would make sure that link begins with https:// to ensure that it’s secure.

How do I force SSL connections?

If you want to do it anyway, you can do so by adding a .htaccess file to the top level of your Web site containing these three lines:

This is a generic example. Enter your domain name at the top of the page to see the exact lines to use for your Tiger Technologies Web site. 
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://www.example.com%{REQUEST_URI} [last]

With those lines in a .htaccess file, any requests starting with “http://” will be redirected to secure requests starting with “https://”.

You can limit the redirects to certain URLs if that’s appropriate, which usually causes fewer problems. For example, this combination only redirects insecure pages to links beginning with “http://www.example.com/checkout”: 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^checkout https://www.example.com%{REQUEST_URI} [last]

If you have trouble adding these lines yourself, we can set this up for you if you contact us.

Is there an easier way to do this for WordPress?

If you use WordPress, there’s an easy way to make WordPress force SSL connections for the administration area. You’d add this to your “wp-config.php” file:

define('FORCE_SSL_ADMIN', true);

The WordPress Administration Over SSL page has more details about this.

Should I do things differently if I have a password protected directory?

If you’re trying to force SSL for a password protected directory, you might want to do things a different way than the “RewriteRule” method described above.

The reason is that if you use “RewriteRule”, it redirects visitors to the SSL version of the page only after it’s already asked for the password insecurely.

The recommended way to make this secure is to use these two lines in a .htaccess file inside the password protected directory instead: 

SSLRequireSSL
ErrorDocument 403 https://www.example.com/directory/

(Be sure to replace “directory” with the actual URL of the protected directory.)

This tip works because the “SSLRequireSSL” command forces the Apache Web server to generate a 403 error instead of requesting a password if the page is accessed without SSL. The second “ErrorDocument 403” line forces the error to be handled as a redirect to the secure “https” URL you specify.

You could limit this to an individual file using FilesMatch, like this: 

<FilesMatch wp-login.php>
  SSLRequireSSL
  ErrorDocument 403 https://www.example.com/wp-login.php
</FilesMatch>

What about “HSTS”?

An experimental Internet standard called “HSTS” (HTTP Strict Transport Security) offers a different way to do the same thing.

We don’t recommend this method yet because it’s not supported by all browsers, but for advanced technical users, the syntax to do it in a .htaccess file is: 

Header set Strict-Transport-Security "max-age=500"
Header append Strict-Transport-Security includeSubDomains

If you try this and it doesn’t work for any reason, we recommend the approach at the top of this page instead.