How to force HTTPS using .htaccess file in cPanel

Once a SSL certificate is installed and a site can be reached via https:// appropriately, visitors should be able to access the whole site or key pages via https:// automatically. In other words, by typing domain.com in a web-browser, a user should be redirected to https://domain.com to access the site securely.

To accomplish this, a special set of directives called rewrite rules needs to be added to the web-site’s .htaccess file, which can be found in the root folder of a specific site in cPanel (e.g. “public_html”). Also, this file can be created if it cannot be located.

Types of redirects

When it comes to setting up a rewrite rule, it is useful to know that there is a permanent redirection type and a temporary one. Each type is processed by search engines and web-browsers differently and has its own status code, which can be specified in a rewrite rule explicitly:

  • Status code 301 (permanent redirect) implies that the requested resource has moved to a new location permanently, thus search engines should not take into account the references to a previous location and index a new one. Web-browsers, in turn, will store a new URL in cache, therefore, giving it priority over the initial URL.

    force_https1

  • Status code 302 (temporary redirect) means that the redirect has been set for a limited period of time. Search engines in this case should honor both locations as equal and the initial one would remain valid. Accordingly, browsers will not cache the new URL and the redirection will be executed every time the initial URL is requested.

    force_https2

    NOTE: Enabling a 302 redirect for a long period of time can significantly decrease a website’s ranking in search results. In terms of HTTP-HTTPS redirect, all site requests are split between http://domain.com and https://domain.com, since both are indexed by search engines separately. Therefore, in most cases a 301 status code is preferable for HTTP-HTTPS redirects.

    We will describe exactly where a status code needs to be specified in the next section.

    Setting a rewrite rule in .htaccess: use cases

    NOTE: The directives specified below work under their own syntax. Changing any symbol or character can lead to improper function or failure of the rewrite rule. To keep things clear, we have highlighted those parts, which can be modified, with red color (mostly where a certain domain name should be placed).

    Let’s take an overview of the most common situations in which a redirection from HTTP to HTTPS can be configured.

    Enabling redirect for all sites in a cPanel account

    To redirect all sites within a cPanel account, one of the following blocks should be added to .htaccess:

    a. RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    This block enables rewriting capabilities, verifies that the initial request does not already have https://, and rewrites the entire requested URL, replacing http:// with https:// (e.g., http://domain.com/subfolder/index.php will be replaced with https://domain.com/subfolder/index.php).

    b. RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    This block works the same as the previous one, just with the help of a different syntax. It is possible to use either of the above mentioned rewrite rules in order to redirect all sites within a cPanel account.

    Forcing HTTPS for a specific site

    To enable a redirect for a single site, one can specify any of the blocks listed below in .htaccess:

    a. RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{HTTP_HOST} ^ncssltest\.info$ [OR]
    RewriteCond %{HTTP_HOST} ^www\.ncssltest\.info$
    RewriteRule ^(.*)$ https://www.ncssltest.info/$1 [R,L]

    b. RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{HTTP_HOST} ^ncssltest\.info$|^www\.ncssltest\.info$
    RewriteRule ^(.*)$ https://www.ncssltest.info/$1 [R,L]

    c. RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{HTTP_HOST} ^(www\.)?ncssltest\.info
    RewriteRule ^(.*)$ https://www.ncssltest.info/$1 [R,L]

    Generally, all of the rule sets above do the same job: checking the port (80 for http, 443 for https), verifying whether a domain name in the initial request is with or without “www.” alias, and rewriting the URL with https://. You may choose which one to implement based on your individual preference.

    Disabling rewrite rule application for a specific site

    If you need to setup a redirect for all sites within Cpanel account except of one or a few, the block of code specified below can be added to .htaccess:

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^(www\.)?ncssltest\.info
    RewriteRule .* - [L]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    The first condition in the block matches the requested URL against the domain name, included to conditional value (the one that should NOT be redirected), and stops rewriting if they match. It is possible to add domain names to the conditional directive, separating them with the ”|” symbol, or to specify several conditional directives, (see examples in previous section).

    Enabling HTTPS for a specific subfolder

    Sometimes you may need to redirect a certain part of a website located in a specific subfolder, while leaving the rest of the site as-is. To do this, insert the following block to .htaccess:

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?subfolder/(.*) https://%www.ncssltest.info/subfolder/$1 [R,L]

    This rule is applied if only a specified subfolder is mentioned in the initial request.

    Forcing HTTPS for a specific page

    The rewrite rule for redirecting a specific page is similar to the previous one:

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^example\.html$ https://www.ncssltest.com/example.html [R,L]

    Only the requested page will be redirected; other site content will remain unaffected.

    If the page that needs to be redirected is located in a specific subfolder, the RewriteRule line should be modified as follows:

    RewriteRule ^test/example\.html$ https://www.ncssltest.com/test/example.html [R,L]

    (in the above example, “test” is the subfolder in question)

    Setting up redirect for a specific file name, regardless of location

    If you have a number of pages with the same name, located in different subfolders (the example “index.html” is used below), you may enable HTTPS redirect for all of them at once. Do this by applying the ruleset as shown below:

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_FILENAME} index.html
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    Only the pages with the file names that match the {REQUEST_FILENAME} parameter value will be redirected to HTTPS.

    How to specify a redirect status code in rewrite rule

    Each rewrite rule ends with so-called “rewrite flag”s (specified in square brackets, e.g. [R,L]). These flags help to control the rewriting process to be performed correctly. To set a redirect with a 301 status code (permanent), you will need to assign this code to the R-flag in brackets by adding “=301”.

    force_https3

    NOTE: If there is no value specified for the R-flag, a redirection will be executed with a 302 status code by default.

    Once complete, a redirect functioning and its status code can be checked with the help of this tool

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close