Skip to content

Always redirect to https and www

Jump to bottom
robiso edited this page Apr 11, 2018 · 24 revisions

IMPORTANT: Always create a backup prior to editing anything.

Apache

Always redirect to https://www.

Copy and paste the code below into your .htaccess file

  • Paste it under the RewriteEngine on 
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Your .htaccess file should look like this

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Your website should now always redirect to https://www.example.com.

Recommended: even more security!

In addition to the above, paste this at the bottom of your .htaccess file

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

THE (final) ULTIMATE htaccess settings

IMPORTANT: please contact your host and make sure your website supports https or the below htaccess MAY BREAK YOUR WEBSITE. Always backup!

  • Works best if WonderCMS is installed at the root of your website (not in a subfolder).
  • The .htaccess file with ALL of the above changes included should look like:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

Explanation of what the above .htaccess does

  • turns off directory listing // included in WonderCMS by default
  • turns off server signature // included by default
  • denies access to database.js // included by default
  • creates clean URLs (example.com/?page=home TO example.com/home) // included by default
  • always redirect to https:// and www on your website
  • a stricter cookie policy,
  • additional XSS protection for when the user has it turned off by default (server side),
  • MIME type sniffing prevention,
  • iframes to be allowed only from the same origin and a
  • stricter referrer policy

Save the .htaccess file and your website is good to go!

Note 1: Make sure you have a valid certificate to avoid any errors. You can check this with your hosting provider to really make sure you can use HTTPS correctly.

NGINX

Check the official nginx website for instructions on enabling https.

Still need help?

Intro

Basic how to's

Themes

Plugins

Security

Features description

List of common errors

Clone this wiki locally