Ratings, reviews, plans and features to help you find the right web hosting provider for your site.

Force SSL/https using .htaccess and mod_rewrite

Web Hosting Articles » A simple guide to .htaccess » Force SSL/https using .htaccess and mod_rewrite

Sometimes you may need to make sure that the user is browsing your site over securte connection. An easy to way to always redirect the user to secure connection (https://) can be accomplished with a .htaccess file containing the following lines:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Please, note that the .htaccess should be located in the web site main folder.

In case you wish to force HTTPS for a particular folder you can use:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} somefolder
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

The .htaccess file should be placed in the folder where you need to force HTTPS.

  1. How to block users from accessing your site based on their IP address
  2. How to prevent or allow directory listing?
  3. How to change the error documents – 404 Page Not Found, etc
  4. Using .htaccess for password protecting your folders
  5. Using .htaccess to block referrer spam
  6. Disable Hot-Linking of images and other files
  7. Redirect URLs using .htaccess
  8. Introduction to mod_rewrite and some basic examples
  9. Force SSL/https using .htaccess and mod_rewrite
  10. 301 Permanent redirects for parked domain names
  11. Enable CGI, SSI with .htaccess
  12. How to add Mime-Types using .htaccess
  13. Change default directory page
  14. Block Bad robots, spiders, crawlers and harvesters
  15. Make PHP to work in your HTML files with .htacess
  16. Change PHP variables using .htaccess
  17. HTTP Authentication with PHP running as CGI/SuExec
  18. Force www vs non-www to avoid duplicate content on Google
  19. Duplicate content fix index.html vs / (slash only)

Comments 52 >>

Yoni Varbos Said,
Jan 08, 2007 @ 01:50

Nice htaccess article! Here is a more indepth SSL article.

Fixing double-login problem and making sure authorization usernames/passwords are not sent in cleartext unencrypted.

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com

Ilias Said,
Mar 06, 2007 @ 05:07

Thank you very much. I quickly found what I was looking for!

PHP MySql Programmer / Developer Said,
Sep 17, 2007 @ 18:56

Thank you for the htaccess information. This is a cool tutorial.
AK Said,
Mar 07, 2008 @ 12:52

Thanks! This was exactly what i was looking for... :-)
Martin Said,
Apr 24, 2008 @ 04:35

http://www.domain.com/somefolder/ (note the slash at the end) is redirected to the original URL with https as expected, but http://www.domain.com/somefolder (without the slash at the end) is redirected to an invalid URL: https://www.domain.com/somefolder//{physical path in the file system}. Any guess why?
Colin Said,
May 06, 2008 @ 18:35

I am having the same problem that Martin is having with this. Is there a way to either add or remove the slash mark at the end of the URL if it is not going directly to a page other than index.php or index.html? Other than that this is the code I have been looking for... thanks for the help!
vine Said,
May 09, 2008 @ 03:01


I tested this on several of my servers and did not experience this problem.

May be you should contact your webhosting provider on this matter. Most probably it is some apache config option.

My best guess is that the problem comes from the UseCanonicalName directive. So if you do not have control over the apache httpd.conf file you should contact your webhosting provider for assistance.
Colin Said,
May 12, 2008 @ 12:24

Thanks for the reply Vine... but I was not able to get that to work. I did find this reference to the issue here:


But I was not able to figure out how to do this with a specific folder. For those of you that understand htaccess code MUCH BETTER than me... can you figure out the work around that would allow me to force SSL/https on a folder without a trailing slash?

Thanks SO MUCH for the help!
vince Said,
May 12, 2008 @ 13:21


You may try the following:

# add trailing slash to directories and force SSL
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !(/$)
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://www.example.com/$1/ [R=301,L]

# And for the files
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
AION Said,
Jul 13, 2008 @ 06:11

Works like a charm
Warhammer Online Said,
Oct 12, 2008 @ 10:30

Thanks, found what I was looking for.
credit card processing Said,
Nov 21, 2008 @ 19:07

Thanks, this is just what I needed. Quick and concise.
Busby SEO Test Said,
Dec 03, 2008 @ 22:50

Nice htaccess article, and thanks to Yoni Varbos for adding more detail. this is just what I needed
beloed Said,
Jan 13, 2009 @ 11:15

This great information, Thanks for share this.
Andrew Schools Said,
Mar 03, 2009 @ 10:14

This won't work if the server is using PORT 80 for SSL, like mosso cloud hosting... This would cause a redirect loop...
Milwaukee SEO Company Said,
Apr 02, 2009 @ 06:53

Andrew Schools is right. This doesn't work on Mosso for similar ASP.Net code, either. Mosso also did not offer a workaround for how detect https connections. Finding this out was disappointing, since there are many times our sites need to force http or https.
zach Said,
Apr 22, 2009 @ 00:42

any luck with a workaround for mosso? thanks
marc Said,
May 02, 2009 @ 01:26

excellent information. nice to share :) . I have been learning a few .htaccess tricks myself
Steve Said,
Jun 04, 2009 @ 10:29

Thanks a lot for the article. Very nice and simple -- just what I was looking for.
Bryan Said,
Aug 11, 2009 @ 11:51

Dmitry Said,
Aug 17, 2009 @ 04:59

Thanks, just what I was looking for! Good article.
Fasckira Said,
Aug 17, 2009 @ 16:49

Hey there, awesome guide and got it working first time but I was wondering if you knew how to prevent it from redirecting to SSL on a directory within the main root?
For example, my main site is in the root directory but the forum is in /fora/. However, as users upload images from photobucket for example, ie users keep getting warnings about the offsite images affecting the certificates credibility.
Any help would be much appreciated!
W Said,
Sep 23, 2009 @ 10:53

Thanks! Simple and effective solution to my problem.
praveen Said,
Nov 11, 2009 @ 00:46

Hi All,

When I tried your code, it works fine on local system. But when i tried the same code on GoDaddy server, it didn't work.

The .htaccess file code goes here:

local code
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} pro
RewriteRule ^(.*)$ https://localhost/example/pro/$1 [R,L]


server code
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} pro
RewriteRule ^(.*)$ https://www.example.com/pro/$1 [R,L]


Any help will be appreciated.
Deepak Said,
Dec 16, 2009 @ 07:27

hi i need some help , i have made an htaccess file.

if i put / at the end of url it shows error object not found because i have made url in htaccess without last / .

i want to working with both / ans without slash /
Steve Said,
Dec 17, 2009 @ 12:43

Our company's site is in a mixed environment (some pages need to be secure, the remainder don't).

I have come across a tutorial at http://articles.sitepoint.com/article/apache-mod_rewrite-examples/2# which states how to take certain directories and send them to SSL and then if you are in SSL and you go to a directory that is NOT listed in the RewriteCond, it should go back to Non-SSL... but it's staying in SSL anyways.

Here's an example: go to http://www.aaatidewaterva.com -- this is Non-SSL. Click on "Email Preferences" along the top -- this is taken to SSL (as it should be). Since my links are dynamic based on the current protocol, the logo on the top left links to the home page, but in the SSL environment. The RewriteCond for this scenario should then redirect the user back to the Non-SSL environment because it is not in the list of directories specified to be SSL. But it's not...

Any ideas on what I may be doing wrong?

Here's my Rewrite code:

#Redirect to SSL for certain pages
RewriteCond %{HTTPS} !on
RewriteRule ^/?(admin|myAAAOnline1|membership/giftbogo(.*)|membership/index-mp(.*)|memberforms/(.*)|wow|insurance/getquote.php?requestType=([a-z]+)|automotive/askourtech.php|emailprefs|e-GoingPlaces/(.*))$ https://%{SERVER_NAME}/$1 [R,NC,L]

#Redirect back to Non-SSL for pages that are NOT the "certain pages" listed above
RewriteCond %{HTTPS} on
RewriteRule !^/?(admin|myAAAOnline1|membership/giftbogo(.*)|membership/index-mp(.*)|memberforms/(.*)|wow|insurance/getquote.php?requestType=([a-z]+)|automotive/askourtech.php|emailprefs|e-GoingPlaces/(.*))$ http://%{SERVER_NAME}%{REQUEST_URI} [R,NC,L]
Robert Said,
Apr 16, 2010 @ 20:18

I am wanting to only have about 10 pages which are ssl and every other page normal

How do i force having everything normal and when entering them pages it goes to ssl.

And when leaving the ssl pages it is forced back to normal?
arines Said,
Jul 20, 2010 @ 12:50

Great overview aboutforce ssl htaccess

very useful
Russ Said,
Jul 23, 2010 @ 16:40

I was looking for a way to redirect certain URI's for a localhost server as well as any server for a CMS I am developing. I basically took what I found here and manipulated some by adding the SERVER_NAME condition. It works for redirecting any subfolder to https that you specify and is tied to the server name on which you are working. All you have to do is repeat the coding in your htaccess for each subfolder. I'm not aware of a way to do this for multiple conditions. I need to do some more research.

Basically this is what I came up with and it works quite well. If it needs correction, then please tell me how to change it:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCOnd %{REQUEST_URI} subfolder
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Sujit Said,
Jul 26, 2010 @ 01:27

I want to remove folder name from the url
My URL is:
I want this url tto be like
Sujit Said,
Jul 26, 2010 @ 01:28

I want to remove folder name from the url
My URL is:
I want this url tto be like
Ghanasyam Said,
Oct 28, 2010 @ 03:44

Dear all, I wish to remove the folder name 'news' in my site's url http://www.topreporter.org/news/kerala-real-estate-property-prid-99.htm using .htacces.
I found some articles in many sites ,but nothing helped.kidly help me to solve this.
Lindsay Said,
Dec 13, 2010 @ 11:27

I cannot get this to work either. I need to force 3 files to https and my hosting company won't help me either. I have tried this but it directs to an error page saying that it has been directed too many times:

RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://www.domain.com/folder/$1 [R,L]
MikeRizzo Said,
Jan 28, 2011 @ 10:45

Thanks - very helpful
Livepage Said,
Feb 16, 2011 @ 03:05

I have this one and works fine, but if I enter subdomain or domain/folder path it doesn't work well:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Any ideas?
Livepage Said,
Feb 16, 2011 @ 04:58


You can try this:

Options +FollowSymLinks

#removes trailing slash if not a directory
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ /$1 [R=301,L]

e.g. if you have this code in your .htaccess you can open same page to watch CNN at http://www.livepage.info/CNN or by entering http://www.livepage.info/CNN/ so, this fixes slash problem you may have sometimes.

Raji Said,
Mar 04, 2011 @ 01:54

Same thing happens to me

I cannot get this to work either. I need to force 3 files to https and my hosting company won't help me either. I have tried this but it directs to an error page saying that it has been directed too many times:

I used this
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Bryant Cruse Said,
Mar 07, 2011 @ 09:01

I have use the force ssl for the entire site but I only want certain pages to be ssl. I have tried the folder but no luck. Can you give me step by step what I need to do. I am having a brain fart (I guess). The force ssl worked great but on one of the pages, messes up (blog page).Thanks for your help.
Josh Said,
May 22, 2011 @ 09:03

My site is being indexed as Xx.XX.XXXx.static.theplanet.com instead of www.mysite.com. I wrote htaccess rule to redirect all http, but when it comes to https:// the page shows certificate error before doing the redirect.

For ex:
RewriteCond %{HTTP_HOST} ^Xx.XX.XXXx.static.theplanet.com [OR]
RewriteCond %{HTTP_HOST} ^mysite.com
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301]

The problem is if it hits to - https://Xx.XX.XXXx.static.theplanet.com
Is there a way to Skip over the certificate error? https://MySite.com has a valide SSL certificate though.

Any help will be appreciated. Thanks in advance.
vince Said,
May 22, 2011 @ 15:51

Hi Josh,

Unfortunately, there is no way to bypass the warning for https://Xx.XX.XXXx.static.theplanet.com

The SSL connection negotiation between the user's browser and the server happens before any .htaccess rule to be processed. So no .htaccess is in play while the SSL handshake is being made.

As for your .htaccess rules, I would recommend:

RewriteEngine on

RewriteCond %{HTTP_HOST} !^www.mysite.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]

The above will redirect any request to a domain name different from www.mysite.com to www.mysite.com.

If you wish to handle SSL connections you can also use:

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www.mysite.com [NC]
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R=301,L]

So your complete .htaccess can look like:

RewriteEngine on

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www.mysite.com [NC]
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R=301,L]

RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} !^www.mysite.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
vince Said,
Jun 09, 2011 @ 02:22

Hi Joe,

I am not sure how the "Better WP Security" applies its measures.

If it uses some .htaccess rules to force SSL, then just FTP to your account download the .htaccess file and revise the rules there. If there is a rule forcing SSL just comment it out.

However, it is possible that the SSL is forced from within the plugin PHP code.

May be this will solve your problem:


= I've enabled the Enforce SSL option and it broke my site. How do I get back in?
* Open your wp-config.php file in a text editor and remove the following 2 lines:

define('FORCE_SSL_LOGIN', true);;
define('FORCE_SSL_ADMIN', true);;


I hope this helped
Kaushik Biswas Said,
Jul 10, 2011 @ 12:21

much helpful for me, and to many others i think. found more helpful posts in the related posts section. all-in-one-place :D thanks! these are very important things webmasters need to know.
New York Forum Said,
Jul 21, 2011 @ 09:30

Darn! Why are were having trouble with this and domain alias and the folders that contain WordPress?
Rajiv Said,
Jul 23, 2011 @ 20:52

Hi All,

Some one please help me.
My problem is
I have installed wordpressMU in subfolder and in root i have boonex dolphin.

Now wordpress new blog showing like

I need to change this like

Any help will be appreciated and thankful. Thanks in advance.
barry sausse Said,
Sep 11, 2011 @ 07:03

great info on the force ssl topic. I am definitely going to use that on my site for Easy Profit Bot at http://ezprofitbot.com

Thanks again!
Ranjit Abraham Said,
Sep 13, 2011 @ 10:06

Great article. I used it and it works smoothly.
Marc Ricther Said,
Sep 28, 2011 @ 01:33

Very cool. Bluehost just sent me here to solve my http vs. https issue. Very clean and simple.
John Said,
Oct 10, 2011 @ 20:04

Did a search on force SSL htaccess and found your web site. thanks!! the information was right to the point.
Aaron W Said,
Nov 03, 2011 @ 20:00

Thanks for the post. For some time I was just using a PHP hack that redirected from HTTP to HTTPS. I decided it was time to finally learn how to do it the correct way. Great article. I uploaded the .htaccess file to my server and it worked on the first try. Thanks!
Telecomenzi Said,
Dec 22, 2011 @ 14:19

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Here you can find a post by Remotes Control
dementu Said,
Dec 22, 2011 @ 14:20

This site has always useful information about the subject has been taken.IT developers can take more help from this article.Well its an informative sharing with all of us at Web Directory!!Portal Galati Anunturi Galati
Meindert Jorna Said,
Jan 14, 2012 @ 17:29

Simpel but clear. Used this code and made the whole site function in https instead of http without bugs while I tested lots of more complicated codes which did not function at all. Thanks.
Your comments on this article


(required but never displayed)

security code

Previous: Introduction to mod_rewrite and some basic examples Next: 301 Permanent redirects for parked domain names