-
-
Notifications
You must be signed in to change notification settings - Fork 166
Always redirect to https and www
IMPORTANT: Always create a backup prior to editing anything. - You can find the ULTIMATE .htaccess configuration at the end of this page.
Copy and paste the code below into your .htaccess file
- Paste it under the RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The .htaccess below redirects your website to https://www, and your .htaccess file should look like this
Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
Your website should now always redirect to https://www.example.com
In addition to the above, paste this at the bottom of your .htaccess file
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
Your .htaccess file with ALL of the above changes included should look like:
Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
Explanation of what the above htaccess does
- turns off directory listing // included in WonderCMS by default
- turns off server signature // included by default
- denies access to database.js // included by default
- creates clean URLs (example.com/?page=home TO example.com/home) // included by default
- always redirect to https:// and www on your website
- a stricter cookie policy,
- additional XSS protection for when the user has it turned off by default (server side),
- MIME type sniffing prevention,
- iframes to be allowed only from the same origin and a
- stricter referrer policy
Save the .htaccess file and your website is good to go!
Note 1: Make sure you have a valid certificate to avoid any errors. You can check this with your hosting provider to really make sure you can use HTTPS correctly.
Note 2: At some point in the future (beginning of 2019), htaccess will be overwritten with the ultimate configuration listed above.
Still need help?
- Ask a question or make a request in the community.
- Official website
Intro
- Home
- Demo
- Download
- One step install
- Requirements
- 5 file structure
- List of hooks
- Included libraries
- Create theme in 8 easy steps
- Create a plugin
- Custom modules
- Translations
- All security features described
Basic how to's
- Backup all files
- Change default login URL
- Change default password
- Create custom page template
- Create new editable areas or editable blocks
- Edit 404 page
- Get data from database
- Set data to database
- Hide page from menu
- Caddy web server config
- IIS server config
- NGINX server config
- Login
- Recover login URL
- Reset password
- Restore backup
- Update
- PHP built in server
Themes
- Create theme in 8 easy steps
- Add favicon
- Theme tags
- Update theme to work with WonderCMS 2.0.0
- Update theme to work with WonderCMS 3.0.0
- Share your themes with Custom modules
Plugins
- Quick intro on creating plugins and List of hooks
- Share your plugin with simply with Custom modules
Security
- All security features described
- Add SRI tags to your theme libraries
- Always redirect to https and www
- Additional security configuration(s)
- Add SRI tags to your theme libraries
- Better security mode (HTTPS and other features)
Features description
- One click update
- Optional: functions.php file
- Default database.js
- Allowed extensions file types for uploads
- Login URL doesn't work - 404
- 500 internal server error
- Persistent "New WonderCMS update available" message
- URLs mailformed on Windows IIS
- Other errors