Skip to content

Always redirect to https and www

robiso edited this page Feb 28, 2018 · 24 revisions

IMPORTANT: Always create a backup prior to editing anything. - You can find the ULTIMATE .htaccess configuration at the end of this page.

Copy and paste the code below into your .htaccess file

  • Paste it under the RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The .htaccess below redirects your website to https://www, and your .htaccess file should look like this

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Your website should now always redirect to https://www.example.com

Recommended: even more security!

In addition to the above, paste this at the bottom of your .htaccess file

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

THE (final) ULTIMATE htaccess settings

Your .htaccess file with ALL of the above changes included should look like:

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

Explanation of what the above htaccess does

  • turns off directory listing // included in WonderCMS by default
  • turns off server signature // included by default
  • denies access to database.js // included by default
  • creates clean URLs (example.com/?page=home TO example.com/home) // included by default
  • always redirect to https:// and www on your website
  • a stricter cookie policy,
  • additional XSS protection for when the user has it turned off by default (server side),
  • MIME type sniffing prevention,
  • iframes to be allowed only from the same origin and a
  • stricter referrer policy

Save the .htaccess file and your website is good to go!

Note 1: Make sure you have a valid certificate to avoid any errors. You can check this with your hosting provider to really make sure you can use HTTPS correctly.

Note 2: At some point in the future (beginning of 2019), htaccess will be overwritten with the ultimate configuration listed above.

Clone this wiki locally