You’ll want to look into HSTS
https://https.cio.gov/hsts/
Basically it will let the user’s browser know “in advance” to always connect
via HTTPS, eliminating the vulnerability of first connecting to a site over
HTTP before being redirected.
> On Feb 1, 2019, at 8:09 AM, R. Diez <rdiezmail-te...@yahoo.de.invalid> wrote:
>
> Hi all:
>
> I have very little Apache experience. I just occasionally help with a couple
> of websites on 2 different hosting companies of the "inexpensive" variety. I
> want to automatically redirect from somesite.com to www.somesite.com, and
> from http to https.
>
> With difficulty, I have managed to put together (by the copy and paste
> method) the following .htaccess file, which seems to be working fine:
>
> RewriteEngine On
>
> # Redirect from non-www to www, and at the same time to https .
> RewriteCond %{HTTP_HOST} !^www\. [nocase]
> RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI}
> [last,redirect=301,noescape]
>
> # Redirect from all other "http://www.blahblah"; auf https .
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
> RewriteCond %{HTTP:X-Forwarded-Proto} =""
> RewriteCond %{HTTPS} !=on
> RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
> [last,redirect=301,noescape]
>
> It is even generic enough to be used unchanged in both websites.
>
> However, I have heard that it is a bad idea to redirect all http requests to
> https like that, because you are actually bypasssing encryption. After all,
> the first http request gets sent unencrypted, and the client will never
> notice. It is best to let all "deep" http links fail, so that the developers
> notice that they are not sending the users to encrypted pages. Only a few,
> selected http pages should still automatically redirect to https.
>
> In my case, that would be just these 2:
>
> http://www.somesite.com -> https://www.somesite.com
> http://somesite.com -> https://www.somesite.com
>
> All other http addresses should fail with 404.
>
> http://www.somesite.com/xxx -> 404 error
> http://somesite.com/xxx -> 404 error
>
> All https requests without www should still be automatically redirected:
>
> https://somesite.com -> https://www.somesite.com
> https://somesite.com/xxx -> https://www.somesite.com/xxx
>
> I have searched around but found no concrete example for this particular
> scenario, which I find surprising, for I thought that this would be the
> normal case for most simple websites.
>
> I have no practice dealing with these rules. I fear that any little mistake
> can have dire consequences to the website. Or severely impact performance.
>
> Could someone with more experience tell me how to write such redirection
> rules? This is something that will probably benefit many other users too.
>
> Many thanks in advance,
> rdiez
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
