Skip to content

Instantly share code, notes, and snippets.

@CyberPunkCodes

CyberPunkCodes/.htaccess

Created August 28, 2018 18:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CyberPunkCodes/10f264def78fed7f7a681cf85451ef4f to your computer and use it in GitHub Desktop.
Save CyberPunkCodes/10f264def78fed7f7a681cf85451ef4f to your computer and use it in GitHub Desktop.
Download ZIP
htaccess Force HTTPS and WWW - Subdomain friendly - Dynamic
Raw
.htaccess
Options -Indexes
RewriteEngine On
# This goes first!
# Force www prefix
RewriteCond %{HTTP_HOST} !^(www\.)(.*) [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
# This goes second!
RewriteCond %{HTTPS} !=on
# Exclude SSL validation paths
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
# Force HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
@CyberPunkCodes
Copy link
Author

CyberPunkCodes commented Aug 28, 2018
edited

htaccess Force HTTPS and WWW - Subdomain friendly - Dynamic

This htaccess file is intended to sit directly in your webroot. It's goal is to maintain a baseline of minimum expectations. Force https and www dynamically (not reliant on hard-coded domains) with only making 1 redirect, and not breaking sub-domains! A lot of code out there make 2 requests, break sub-domains, and/or use a hard-coded domain.

This can be placed inside the webroot of your sub-domains as well. In newer cPanel setups, the "Add-on Domains" are being placed above the public_html directory anyways, so it would be required there too.

Today, ALL domains should be https. There is no excuse for it anymore. Soon, Google will smack all of you who haven't made the switch. I even use it by default on my localhost for dev use. I created a script to really help with creating certs for your local domains, called CertMagic. Check out it's repo here. It is only compatible with the latest Mac OSX right now, but it may be a life saver for those who are.

You can use LetsEncrypt to get a free SSL Certificate. If your host doesn't support LetsEncrypt, or provide one to you free of charge, then change hosts. You only need to buy an SSL certificate if the data your handling has sensitive information, like Bank Information, Credit Card info, SSN, etc. Your basic websites don't really need all of that, even if you integrate with a 3rd party like PayPal/Stripe. Unless you handle the CC info on your site directly (your own checkout form, not theirs).

The Options -Indexes are optional, though it is recommended for production to prevent people from navigating to a folder and seeing all the contents.

There are 2 sections, and they are order dependent. The section from the comment # This goes first! all the way to before they second comment, # This goes second!. From the second comment, all the way to the end of this file.

The .well-known entries, are for allowing SSL validation. This is done via http, so we don't want it redirecting to https. It doesn't matter if it gets redirected to www.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment