Best Practice: 301 Redirect HTTP to HTTPS (Standard Domain)
I was looking for the perfect 301 redirect. But I find so many solutions and don't know which is better.
This is what I want to do
- http: //domain.tld/ → https: //domain.tld/ li>
- http: //www.domain.tld/ → https: //domain.tld/ li>
- https: //www.domain.tld/ → https: //domain.tld/ li>
Best practice for .htacess?
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
</IfModule>
This is my preferred code. At least for now, unil.
Alternative ways
I also found many other ways to redirect from HTTP
to HTTPS
. For example:
1.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
One step missing? And not [R=301,L]
here?
2.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Should I use
RewriteRule ^(.*)$
instead
RewriteRule (.*)
?
3.
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} example\.com$ [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L,NE]
Does using a fully qualified domain name have any performance benefits? Do I really need NE
? ( [R=301,L,NE]
vs. [L,R=301]
)
So my question to all the experts is, what's the best (performing) way to redirect both HTTP
to HTTPS
and
to HTTPS://
?
source to share
To start with your favorite solution:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
</IfModule>
When handling non-https URLs, you are redirected to %{HTTP_HOST}
. Then, if your hostname started with "www", a second redirect is required to take you from https: //www.domain.tld to https: //domain.tld , which should be your final destination.
You can shorten this by using
RewriteRule ^(.*)$ https://domain.tld/%{REQUEST_URI} [L,R=301]
directly in the first rule. The second rule will only apply to clients that are trying to access https://www.domain.tld
.
Alternative 1. does not work for the same reason (there is no case when it HTTP_HOST
can be www.domain.tld
) and additionally because of the absence [L,R=301]
. This is necessary because you are not just rewriting the URL here as you might be doing in other types of rewrite rules. You are asking the client to change the request type - that is why you are sending him the HTTP code 301
.
As for the match part itself RewriteRule
, you have to be consistent: if you want to capture parts of a URI, you will use a regular expression with parentheses. Since you are actually using it in general here, it is good to just use one of the "nothing" alternatives, for example ^
and use it %{REQUEST_URI}
later. If you are using some kind of capture (i.e. (some_regex)
, you should reference it in the target using $1
(or whatever you intend to reference) here.
Your third alternative is missing www + https again.
You can check if https is disabled or if the domain name contains the leading "www" in the same rule, however the rewrite conditions are implicitly linked to "and".
Therefore, he should read:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://domain.tld%{REQUEST_URI} [R=301,L,NE]
NE is needed to pass on things like GET parameters, etc., to the new URI unchanged, see:
source to share