How to Force SSL with .htaccess

Even if you have installed an SSL certificate, your website will still be accessible via HTTP. To completely secure your website, use the .htaccess file to force an HTTPS connection. This activity requires the addition of new code to the file.

Forcing Universal HTTPS

• Step 1. Log in to your web hosting control panel
• Step 2. Find the .htaccess file and open it for editing. You can typically find the file in the root directory of your public_html folder. If the file does not exist, create a blank text file and later save it as .htaccess.
• Step 3. Add the following code –

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

• Step 4. Save the changes before exiting the file.

The steps above will enforce HTTPS for all web traffic to the site. You can also specify if you wish to force HTTPS to a specific domain or even a particular folder.

Forcing HTTPS for a Specific Domain

If your account handles multiple websites, you may, on occasion, wish to enforce HTTPS for specific sites. If so, add the following code instead:

• RewriteEngine On 
• RewriteCond %{HTTP_HOST} ^yourhttpsdomain.com [NC] 
• RewriteCond %{HTTPS} off 
• RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Replace “yourhttpsdomain.com” with the domain name for which you wish to force HTTPS.

Forcing HTTPS on a Specific Folder

Aside from entire domain names, the .htaccess file can also force HTTPS for specific folder content only. If this is the case, add the following code:

• RewriteEngine On 
• RewriteCond %{REQUEST_URI} folder
• RewriteRule ^(.*)$ https://www.yourwebsite.com/folder/$1 [R,L]

Replace “folder” with the name of the folder for which you want to force HTTPS. Replace  www.yourwebsite.com with the domain name to which the folder belongs.