I’m trying to set HSTS up correctly on my website and it is currently “half-working”, I need to find the correct way to redirect: http://www.example.com to https://www.example.com finally to https://example.com.
Actually, the website has 1 redirect per URL version:
-
http://www.example.com301 redirect tohttps://example.com/ -
http://example.com301 redirect tohttps://example.com/ -
https://www.example.com301 redirect tohttps://example.com/
I now need to adjust the redirection through my .htaccess making it result this way:
http://www.example.com
301 redirecthttps://www.example.com
301 redirecthttps://example.com“
I tried a couple of times, but I always end up shutting the website down. Could you please help me to fix this?
Sorry guys, I forgot to mention something important: I have already installed HSTS and it is working on example.com but when i test it as www.example.com i get “Error: Subdomain , Error: No HSTS header , Error: HTTP does not redirect to HTTPS”
I’m testing it with hstspreload.org
1 Answer
So, the canonical URL is https://example.com/.... (You appear to be describing a pointless intermediary redirect? You should only redirect to the final canonical URL, no need for anything in between.)
This is just a standard HTTP to HTTPS redirect.
You can do this using mod_rewrite at the top of your .htaccess file. For example:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule (.*) https://example.com/$1 [R=301,L]
What the above says is… if the request is for HTTP or www subdomain then 301 redirect to the canonical URL.
However, you should test this with a 302 (temporary) redirect before you implement HSTS. If you’ve already implemented HSTS and visited the HTTPS URL then the browser will automatically issue the upgraded request and you will never see the redirect (which is the whole point of HSTS).
UPDATE:
Error: HTTP does not redirect to HTTPS
http://www.example.com(HTTP) redirects tohttps://example.com/. The first redirect fromhttp://example.comshould be to a secure page on the same host (https://www.example.com)”
Ah, it would seem that in order to satisfy the Submission Requirements to get on the HSTS preload list you must first “Redirect from HTTP to HTTPS on the same host“. (This would, however, seem to be counter-intuitive with regards to SEO and user experience.)
To split the redirect in two and redirect to HTTPS first, before the canonical www redirect then do something like the following instead:
RewriteEngine On
// 1. Redirect to HTTP to HTTPS on the same host
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
// 2. Canonical redirect from www to non-www
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) https://example.com/$1 [R=301,L]
For additional notes about issuing canonical redirects for the HSTS preload list see my answer to the following question on the Pro Webmasters stack:
https://webmasters.stackexchange.com/questions/112263/hsts-preload-section-on-htaccess
