Alternatively, instead of
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
try
### BEGIN HTTPS Catch-All
# first line optional, from https://codex.wordpress.org/Administration_Over_SSL
# An important idea in this block is using THE_REQUEST, which ensures only actual http
# requests are rewritten and not local direct file requests, like an include or fopen
#RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
# note use of NC and QSA - QSA can be esp important, generally better than using QUERY_STRING
# also, unless specified otherwise an R is treated as R=302
# finally, note in RewriteRule that we are only matching against the void preceding new line which avoids
# expensive pattern matching and value capture (specifically, '^' instead of '^/?(.*)' or similar)
### END HTTPS Catch-All
Also, only once you really know for sure that everything is working as expected you might look at using HSTS, like
# BEGIN HSTS Control # good for initial testing, raise max-age value when confident... #Header set Strict-Transport-Security "max-age=300; includeSubDomains" env=HTTPS # END HSTS Control
# BEGIN HSTS Control, with preload # Uncomment line below only when well researched #Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=HTTPS # END HSTS Control
Once you’re sure its all working (and you’ve done some googling to learn more about this) then you might try using the preload option which may address issue with delay in redirect from http to https even for new visitors as their browsers will, in theory, already know better…
Love the improved Query String Removal code from AITpro admin – thanks for that =)
Cheers, Max
-
This reply was modified 15 hours, 16 minutes ago by
AITpro Admin.
-
This reply was modified 15 hours, 10 minutes ago by
AITpro Admin.
