How do I force all connections to my website to use SSL?
This page explains how to make all connections to your site always use SSL/TLS (and show as “secure” in web browsers).
On this page:
- Before you start
- Redirecting to the SSL version of the site
- Can I also use “HSTS”?
- Should I do anything more if I have a password protected directory?
Before you start
- If you’re using WordPress, you should first login to the WordPress dashboard, click Settings > General, and change both the “WordPress Address (URL)” and “Site Address (URL)” so that they begin with https:// (that is, add an “s” after “http” and before the colon if it currently starts with “http://”). That will make WordPress “prefer” SSL.
- If you’re not using WordPress, try to make sure that any URLs in the HTML code of your pages begin with https:// — again, add an “s” after “http” and before the colon if the URL starts with “http://”.
Then make sure your site works properly. If it does, you can add a “redirect” as described below. If it doesn’t, our page explaining how to fix SSL problems page can help you get it working.
Redirecting to the SSL version of the site
Be sure your site has fully working SSL before doing this.
Before you do this, verify that your entire site works when you view it in a browser using https:// at the beginning of the URL, like https://www.example.com/, as described above. If it doesn’t fully work like that, including showing a padlock icon in the address bar as well as showing all the images and content you expect, it won’t work if you force it using these instructions, either — in fact, following these instructions may make parts of your site not load at all.
To force browsers to connect to the SSL version of your site, add a “redirect”:
- Login to the “My Account” control panel (having trouble?)
- Click Redirections
- Click Add New Redirect
- Choose the option to Redirect non-SSL requests to SSL
Doing this also adds a Content-Security-Policy: upgrade-insecure-requests HTTP response header that tells browsers to try to convert non-SSL requests to SSL for all content it loads from the current page. That helps modern web browsers use SSL for all your page resources, avoiding “partially secure” or “mixed content” warnings.
Can I also use “HSTS”?
An Internet standard called “HSTS” (HTTP Strict Transport Security) gives site owners a way to force browsers to use SSL for future requests to the same site after they’ve been redirected once. Most sites don’t need it, but it can avoid some redirects and increase security by making sure browsers never try to request non-SSL pages on a site. The drawback is that if you later move your site somewhere that doesn’t support SSL, browsers won’t be able to access it at all until the HSTS time expires.
If you add the redirect described in the section above, we automatically set a Strict-Transport-Security: max-age=300 header. Starting with a small number of seconds like this matches the “Deployment Recommendations” section of Google’s HSTS preload page. You can increase the number with a custom .htaccess file rule like this if you want:
Header set Strict-Transport-Security "max-age=31536000"
Should I do anything more if I have a password protected directory?
If you’re trying to force SSL for a password protected directory, you might need to take an extra step. The reason is that if you use a normal redirect, it redirects visitors to the SSL version of the page only after the browser has already asked for the password insecurely.
The recommended way to make this secure is to use these two lines in a .htaccess file inside the password protected directory instead:
SSLRequireSSL ErrorDocument 403 https://www.example.com/directory/
(Be sure to replace “directory” with the actual URL of the protected directory.)
This tip works because the “SSLRequireSSL” command forces the Apache Web server to generate a 403 error instead of requesting a password if the page is accessed without SSL. The second “ErrorDocument 403” line forces the error to be handled as a redirect to the secure “https” URL you specify.
You could limit this to an individual file using FilesMatch, like this:
<FilesMatch wp-login.php> SSLRequireSSL ErrorDocument 403 https://www.example.com/wp-login.php </FilesMatch>
Copyright © 2000-2021 Tiger Technologies LLC