How to Redirect HTTP to HTTPS Using .htaccess File

With the emphasis on sites being hosted using https rather than http there’s also the redirect of the old website references, to the new encrypted https.

The .htaccess file in the root of the the web site supports the use of redirect rules.

Using htaccess file’s the Rewrite Condition and Rewrite Rule pairing we’ll redirect the http website pages to their corresponding https encrypted version.

Let’s start with the simple redirection.

We’ll begin by redirecting the non encrypted page to the encrypted website. For now we’ll ignore the finer point of serving up the same page.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP-HOST} [R,L]

In the above example I’ve assumed that redirects don’t already exist. So I’ve added the first action to turn on the rewrites.

This is followed by the condition which we are testing for and the rule to be applied if the match is successful.

In the above we are testing to see if the page is encrypted using https. If not then replace the current URL with the server host name.

The rule, as shown, has 3 parameters: the string to match; the replacement string and some flags for the web server.

In this example

  • (.*)  – take all of the characters in the URL
  • %{HTTP-HOST} is the old website server host server name.
  • [R,L] The R tells the web server (Apache) this is a temporary redirect. Whilst the L to stop any further processing if the rule matches.

Now to take this a step further.

Clearly, entering a page which you have visited before, only to find that you are viewing the root of the website, will not be conducive to a happy website audience. Your visitor won’t care so much that it’s encrypted. It will also affect your website rankings and listings.

Let’s add the extra part to maintain our viewed page.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Now when the old page is visited it redirects to the encrypted one.

The final improvement is to tell the browser and search engine robots that this change is permanent by setting the value of R to 301.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


The last part of the line details the type of redirect.

  • 301 is a permanent redirect. change the simple R flag to R=301.
  • 302 is temporary.

It can be very difficult to force a browser to revert after setting a permanent redirect. For this reason it’s best to use a temporary one whilst testing.

Do not duplicate RewriteEngine On.

I’ve seen .htaccess files with a RewriteEngine Off. Make sure your redirect rule isn’t outside of these two tags.

But if when testing your redirect is found not to be working check that it’s within an active RewriteEngine section.

If you have more than one redirect rule in what order in the sequence should this https redirect rule be placed?

Put your https redirect early in your list of redirects.

It’s efficient to handle the specific rules early on. Every rule that is tested is additional server processing giving rise to a slower server and a slower site response. Clear and precise rules should be listed first.