How to Force HTTPS Using .htaccess

In today’s digital world, securing your website with HTTPS is crucial for protecting user data, improving SEO rankings, and establishing trust. One effective way to ensure your site always loads via HTTPS is by configuring your website’s .htaccess file. This file plays a key role in managing settings for websites hosted on Apache Web Servers. By using the .htaccess file, you can force HTTPS, rewrite URLs, enable security features, and more. 

In this article, we’ll show you how to force https using .htaccess file. For a profound understanding, we’ll explain what is .htacess, how to locate or create it, and share best practices for securing your site.

What is a .htaccess File?

A .htaccess (Hypertext Access) file is a configuration file used by Apache web servers to set up rules for how a website behaves. It lets website owners or admins control certain settings for their site, and these rules only affect the folder where the file is placed and its subdirectories. Moreover, It supports password protection of files and directories, ensuring that only authorized users can access sensitive areas of your site.

It is important to note that htaccess is a dot file. The dot at the start of the file name indicates that the file is hidden and can’t be viewed by your website visitors.

Key Features of the .htaccess File

The .htaccess file offers various features to control and optimize your website’s behavior, security, and performance. Some useful features are listed below:

• .htaccess enables automatic redirects from old URLs to new ones and forces users to the HTTPS version for secure connections.
• It controls access to specific website sections by blocking IPs or requiring passwords.
• Custom error pages, like 404, are set up to guide users when a page is missing.
• .htaccess improves website speed by enabling caching and compressing resources.
• It strengthens security by blocking malicious traffic and enforcing HTTPS connections.

Forcing HTTPS Using .htaccess

Redirecting HTTP to HTTPS using .htaccess is one of the easiest and most user-friendly approaches, especially for those using Apache servers.

Forcing HTTPS ensures that all data exchanged with your website is encrypted. This helps protect sensitive information like passwords, credit card details, and personal data. Let’s learn how to force HTTPS using the .htaccess file by following the steps below:

Prerequisites

Before forcing HTTPS, make sure your website has an SSL certificate installed. The SSL certificate is necessary to encrypt the data between the user’s browser and your server. Without it, HTTPS redirection won’t work. If you’re not sure whether you have an SSL certificate or not, use our free SSL Checker to verify its validity for any website.

Step 1: Log in to cPanel

The .htaccess file is generally located in the root folder of your website, where the primary website files are kept. You can find it either using FTP or cPanel.

Let’s log in to cPanel with the appropriate credentials:

Step 2: Locate the .htaccess File

On the cPanel dashboard, locate the File Manager under the ‘Files’ section:

Navigate to the root directory public_html and open the .htaccess file to edit it: 

In case, the htaccess file is not visible, go to settings, tick the show hidden files box, and click on the Save button:

Step 3: Force HTTPS .htaccess File 

After finding the .htaccess file, open it for editing using a text editor. You can use the editor in cPanel, an FTP client, or a text editor on your computer. Then, add the following code at the top of the file to redirect all HTTP requests to HTTPS:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301, L]

Replace the example.com with your domain name and save the .htaccess file:

To check if the redirection works, open your website with HTTP (e.g., http://domainname.com). If everything is set up correctly, your browser will automatically redirect you to the HTTPS version of your site (e.g., https://domainname.com).

Creating a .htaccess File

If you don’t have a .htaccess file, you can create one using a text editor like Notepad and save it as “.htaccess” (without the .txt extension). Once the .htaccess file is created, you can follow the above steps to force HTTPS using the .htaccess file.

Best Practices for Using .htaccess to Force HTTPS

You can follow the below-listed practices to force HTTPS through the .htaccess file and ensure a smooth and secure transition for your website users:

• Always use a 301 Permanent Redirect when forcing HTTPS, as it tells search engines that the site has permanently moved to HTTPS, helping to maintain SEO rankings.
• Make sure your SSL certificate is properly installed before forcing HTTPS. You can use tools like SSL Labs’ SSL Test to check its configuration.
• After setting up the redirect, test your website in different browsers (e.g., Chrome, Firefox, Safari) to make sure the HTTPS redirect works properly.
• Ensure all internal resources (like images, scripts, and CSS files) are loaded over HTTPS to avoid mixed content warnings in browsers.
• Regularly check and update your .htaccess file to keep it optimized for security and performance as your website’s needs change.

Conclusion

Forcing HTTPS using the .htaccess file is an effective way to secure your website by ensuring all traffic is redirected to an encrypted connection. By configuring the .htaccess file properly, you protect user data, boost SEO rankings, and establish trust with visitors. It’s essential to have an SSL certificate installed before making the change. Following best practices, such as using 301 redirects, testing across browsers, and ensuring all resources are loaded over HTTPS, will ensure a smooth, secure experience for users. Eventually, forcing HTTPS through .htaccess boosts both security and your site’s online presence.

FAQ