Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Force a quick redirect to HTTPS on Github Pages for your domain (and only your domain)
<script>
var host = "YOURDOMAIN.github.io";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
@bloodyowl

This comment has been minimized.

Show comment Hide comment
@bloodyowl

bloodyowl Apr 4, 2014

var host = "YOURDOMAIN.github.io"
if (window.location.host == host && window.location.protocol != "https:") {
  window.location.protocol = "https:"
}

might be simpler

var host = "YOURDOMAIN.github.io"
if (window.location.host == host && window.location.protocol != "https:") {
  window.location.protocol = "https:"
}

might be simpler

@konklone

This comment has been minimized.

Show comment Hide comment
@konklone

konklone Apr 21, 2014

didn't know you could do that! I'll change it, thanks.

Owner

konklone commented Apr 21, 2014

didn't know you could do that! I'll change it, thanks.

@Cnly

This comment has been minimized.

Show comment Hide comment
@Cnly

Cnly Oct 4, 2015

Would this be simpler?

<script>
if (window.location.host.indexOf('github.io') > -1 && window.location.protocol != "https:"){
    window.location.protocol = "https";
}
</script>

Cnly commented Oct 4, 2015

Would this be simpler?

<script>
if (window.location.host.indexOf('github.io') > -1 && window.location.protocol != "https:"){
    window.location.protocol = "https";
}
</script>
@konklone

This comment has been minimized.

Show comment Hide comment
@konklone

konklone Oct 4, 2015

@Cnly Nice, that does seem simpler. I'd want it to be locked to hosts ending with github.io though, not just where it appears in the host name (e.g. http://github.iomega.com to make up an example).

Owner

konklone commented Oct 4, 2015

@Cnly Nice, that does seem simpler. I'd want it to be locked to hosts ending with github.io though, not just where it appears in the host name (e.g. http://github.iomega.com to make up an example).

@FirePanther

This comment has been minimized.

Show comment Hide comment
@FirePanther

FirePanther Oct 13, 2015

<script>
if (window.location.host.substr(-10) == '.github.io' && window.location.protocol != 'https:') {
    window.location.protocol = 'https:';
}
</script>
<script>
if (window.location.host.substr(-10) == '.github.io' && window.location.protocol != 'https:') {
    window.location.protocol = 'https:';
}
</script>
@le4ker

This comment has been minimized.

Show comment Hide comment
@le4ker

le4ker Oct 20, 2015

I added a check for localhost, given that the common case is that when you hack your Jekyll site locally you don't have https setup.

  {% if site.force-https %}
    <script>
    // Don't force http when serving the website locally
    if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
    </script>
  {% endif %}

le4ker commented Oct 20, 2015

I added a check for localhost, given that the common case is that when you hack your Jekyll site locally you don't have https setup.

  {% if site.force-https %}
    <script>
    // Don't force http when serving the website locally
    if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
    </script>
  {% endif %}
@brbsix

This comment has been minimized.

Show comment Hide comment
@brbsix

brbsix Nov 28, 2015

Just out of curiosity, but why are you checking that host == window.location.host? Is this because you don't want to force redirect to HTTPS if the visitor is at a custom domain that does not support HTTPS?

@panossakkos don't forget to include localhost:

<script>
if (!(window.location.host.startsWith("127.0.0.1") || window.location.host.startsWith("localhost")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>

brbsix commented Nov 28, 2015

Just out of curiosity, but why are you checking that host == window.location.host? Is this because you don't want to force redirect to HTTPS if the visitor is at a custom domain that does not support HTTPS?

@panossakkos don't forget to include localhost:

<script>
if (!(window.location.host.startsWith("127.0.0.1") || window.location.host.startsWith("localhost")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>
@prahladyeri

This comment has been minimized.

Show comment Hide comment
@prahladyeri

prahladyeri Dec 17, 2015

Since I do a lot of local testing before pushing commits to my site, I need to check that in the script:

<script>
// Don't force https when serving the website locally
if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>

However, I still think what we all are doing is just another ugly hack. This feature needs to be built-into github pages.

Since I do a lot of local testing before pushing commits to my site, I need to check that in the script:

<script>
// Don't force https when serving the website locally
if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>

However, I still think what we all are doing is just another ugly hack. This feature needs to be built-into github pages.

@prahladyeri

This comment has been minimized.

Show comment Hide comment
@prahladyeri

prahladyeri Dec 17, 2015

Since I do a lot of local testing before pushing commits to my site, I need to check that in the script:

<script>
// Don't force https when serving the website locally
if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>

However, I still think what we all are doing is just another ugly hack. This feature needs to be built-into github pages.

Since I do a lot of local testing before pushing commits to my site, I need to check that in the script:

<script>
// Don't force https when serving the website locally
if (!(window.location.host.startsWith("127.0.0.1")) && (window.location.protocol != "https:"))
    window.location.protocol = "https";
</script>

However, I still think what we all are doing is just another ugly hack. This feature needs to be built-into github pages.

@mikeumus

This comment has been minimized.

Show comment Hide comment
@mikeumus

mikeumus Jan 2, 2016

The most efficient way I've found to do this in the present is with CloudFlare's Page Rules:

CloudFlare always HTTPS page rules

See this tutorial on how to set this up on GitHub Pages:

but also agreeing with @prahladyeri and others that this should be configurable in GitHub Pages itself 👍.

mikeumus commented Jan 2, 2016

The most efficient way I've found to do this in the present is with CloudFlare's Page Rules:

CloudFlare always HTTPS page rules

See this tutorial on how to set this up on GitHub Pages:

but also agreeing with @prahladyeri and others that this should be configurable in GitHub Pages itself 👍.

@hakatashi

This comment has been minimized.

Show comment Hide comment
@hakatashi

hakatashi Jun 9, 2016

GitHub Pages now supports enforcement of HTTPS via config.

GitHub Pages now supports enforcement of HTTPS via config.

@erm3nda

This comment has been minimized.

Show comment Hide comment
@erm3nda

erm3nda Jun 13, 2016

Because my Github page shows ssl warnings, i've reverse the example and added this piece of code to every .html and .md file to show it with http:

<script>
    if (window.location.host.indexOf('github.io') > -1 && window.location.protocol == "https:"){
        window.location.protocol = "http";
    }
</script>

Those files are fully public, there's no real reason to pass them with ssl to the user.
Maybe i add Ajax on the future, but it's good enough for now. Still don't know if there's something to try with yaml config for this.

erm3nda commented Jun 13, 2016

Because my Github page shows ssl warnings, i've reverse the example and added this piece of code to every .html and .md file to show it with http:

<script>
    if (window.location.host.indexOf('github.io') > -1 && window.location.protocol == "https:"){
        window.location.protocol = "http";
    }
</script>

Those files are fully public, there's no real reason to pass them with ssl to the user.
Maybe i add Ajax on the future, but it's good enough for now. Still don't know if there's something to try with yaml config for this.

@sanik90

This comment has been minimized.

Show comment Hide comment
@sanik90

sanik90 Nov 25, 2016

@hakatashi thanks, saves me the hassle

sanik90 commented Nov 25, 2016

@hakatashi thanks, saves me the hassle

@JCarlosR

This comment has been minimized.

Show comment Hide comment
@JCarlosR

JCarlosR Dec 7, 2016

@mikeumus "Always uses https" is equivalente to the 301 redirects?
Here is a tutorial about that: https://rck.ms/jekyll-github-pages-custom-domain-gandi-https-ssl-cloudflare/

JCarlosR commented Dec 7, 2016

@mikeumus "Always uses https" is equivalente to the 301 redirects?
Here is a tutorial about that: https://rck.ms/jekyll-github-pages-custom-domain-gandi-https-ssl-cloudflare/

@yowainwright

This comment has been minimized.

Show comment Hide comment
@yowainwright

yowainwright Jan 13, 2017

@mikeumus worked AWESOMELY!!! ~THANK YOU!!!

@mikeumus worked AWESOMELY!!! ~THANK YOU!!!

@englishextra

This comment has been minimized.

Show comment Hide comment
@englishextra

englishextra Jun 18, 2017

You must check for http and NOT for https

bad:

window.location.protocol != "https:"

safe:

window.location.protocol === "http:"

Why? Because in webapps wrapped in Electron and NWjs there's no http - it's file: and chrome-extension:

So:

/*global window */
/*jslint browser: true */
(function (root) {
	"use strict";
	var h = root ? root.location.hostname : "",
	p = root ? root.location.protocol : "";
	if ("http:" === p && !(/^(localhost|127.0.0.1)/).test(h)) {
		root.location.protocol = "https:";
	}
}
	("undefined" !== typeof window ? window : this));

englishextra commented Jun 18, 2017

You must check for http and NOT for https

bad:

window.location.protocol != "https:"

safe:

window.location.protocol === "http:"

Why? Because in webapps wrapped in Electron and NWjs there's no http - it's file: and chrome-extension:

So:

/*global window */
/*jslint browser: true */
(function (root) {
	"use strict";
	var h = root ? root.location.hostname : "",
	p = root ? root.location.protocol : "";
	if ("http:" === p && !(/^(localhost|127.0.0.1)/).test(h)) {
		root.location.protocol = "https:";
	}
}
	("undefined" !== typeof window ? window : this));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment