Enforce HTTPS with htaccess and make your website secure

In a time when online security is more important than ever, you as a website owner can no longer afford to lag behind. HTTPS is no longer a luxury — it is a must. And did you know that you can force your website to always load via HTTPS in just a few minutes? That's where the .htaccess file comes in.

In this article, we will explain step by step what a .htaccess file is, how you can use it to automatically send visitors to the secure HTTPS version of your website, and why that is so important. We will use zichtbareurl.nl as an example, so that you can easily follow the explanation.

Why force HTTPS?

You may already have an SSL certificate installed, and you can see that your website is accessible via both http://[yourdomain] and https://[yourdomain]. But… that’s a problem.

If visitors use the old http version, they miss the encryption. And worse: Google can see your website as two separate versions. That means risk of:

• Unsafe connections
• Loss of SEO value due to duplicate content
• Untrustworthy or ‘not secure’ messages in browsers

That’s why you need to force all traffic to be automatically redirected to HTTPS. You do this via the .htaccess file.

What is a .htaccess file?

A .htaccess file is a hidden configuration file on your web server (often Apache). You use it to control all kinds of settings for your website, such as:

• Redirects
• Caching
• Security
• HTTPS forcing

It is usually located in the root folder of your website (for example /public_html/ or /www/).

Forcing HTTPS with .htaccess

Here is the most common and safe way to force HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.[yourdomain]/$1 [R=301,L]

Explanation:

• RewriteEngine On: activates the rewrite module
• RewriteCond %{HTTPS} !=on: checks if the connection is not secure
• RewriteRule: redirects the visitor to the secure HTTPS version

With or without www?

Would you rather not have www? Then use this version:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.[yourdomainname]\.nl$ [NC]
RewriteRule ^(.*)$ https://[yourdomainname]/$1 [L,R=301]

Common mistakes

• Using 302 instead of 301: 301 is permanent, 302 is not — so always use 301.
• Wrong location: Make sure the .htaccess file is in the root folder.
• Redirect loops: Multiple conflicting rules can cause an infinite loop.

Testing if it works

After editing your .htaccess file:

1. Type http://[yourdomain] into your browser.
2. You should automatically end up at https://www.[yourdomain].
3. Check the lock in the address bar.
4. Use tools like Why No Padlock to test.

Google loves HTTPS

Google sees HTTPS as a ranking factor. In addition, Chrome gives clear warnings if a website is not secure. Do you want to appear trustworthy and score better? Then HTTPS is essential.

Summary

Forcing HTTPS = gaining trust = scoring higher. With a little effort, you can give your visitors and Google a safe feeling. Make sure you have SSL installed, adjust your .htaccess, and test your site thoroughly.

Final tip

Always make a backup of your original .htaccess file before making any changes.

Did I help you well?

Your contribution enables me to write more articles.

I donate € 1,- now