Forcing SSL (https) on your website

Ensuring your website is secure with our SSL certificate is only the first step. If you are hosting on a managed service,  your site will already have an SSL certificate allocated for it. In order to ensure your users are always on the secure site however, can be a little more tricky.

If customers do not use the https:// prefix for the website, modern browsers will default to non-SSL, non-secured communications with the website. We can work around this by adding or modifying the .htaccess file located within your public_html folder. 

A general entry might look like this:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


This tells the server, that if a connection is attempted without using SSL/https that it should tell the browser to try again, but this time use the https:// prefix for the request. This ensures that no matter which page that they attempt to access insecurely, that it will redirect them to the secure version of it.

 

Known issues:

There is a known issue with another way of forcing SSL on a client connection when using DigiTimber services -

RewriteEngine on
RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

While this might look almost the same, it very much is not. Because our internal server does not run on port 80 (the default insecure port) this is not a valid check to see if the client is using SSL or not. Adding this entry to your .htaccess file will not have the desired results and will not ensure your website users are secure.

 

 

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Updating Security on Services - TLS 1.2 and TLS 1.3

As of January 2020, our servers will only support SSL/TLS connections using TLS 1.2 for services...