All those http links - they load http pages!

I’ve just discovered that the web site does not default to https.
Can this be set?

Loading from a search engine link, loads http.
Plus I have all the links that I have created in youtube.

Must every link be modified, and a new site-map created and indexed?

If so, I’ll add a warning to my Guide

However, if there is a way to configure my site to always display in https, this would be a superior solution (and this advice could also be added).

You can make every HTTP resource return an HTTP 301 redirect to the corresponding HTTPS resource. Browsers will follow these redirects and immediately load the secure site.

(Certbot offers to set up this kind of HTTP redirect for users when used with --apache or --nginx.)

In addition, if you’re confident of your ability to keep your site in HTTPS with a valid certificate permanently, you can set an HSTS header

to tell individual visitors’ browsers to only use HTTPS when communicating with your site.

The way of doing each of these things is entirely specific to your hosting environment. There’s no generic way to do this that works for all web sites. For example, it might involve editing your web server configuration files or selecting an option in a control panel or a web application configuration interface.

Edit: Apart from HSTS, browsers do use whatever protocol is specified in a link’s URL, so if you create links to your site, it does matter for the browser’s behavior whether they’re HTTP or HTTPS links. However, if your site returns a redirect from the HTTP resource to the HTTPS resource, users won’t necessarily notice this because the version of the page that actually loads at the end will be the HTTPS version. Despite that, it’s still good practice to use only HTTPS links because of the SSL Stripping attack.

1 Like

Thanks schoen.
It’s very interesting, and worrying at the same time.

I read through the wiki page, and noted the HSTS limitations.

I’m going to research how to implement it, as it seems better to have it than not.
Once I have setup autoSSL-renew, that should be fine.
I didn’t note any downside as yet, from what I’ve read.

I was thinking about .htacess in my public_html directory.

redirect permenant index.html https://example.com
redirect permenant en/intro.html https://example.com/en/intro.html

Have I written that code correctly?
I could list every html page on the site.

Or perhaps there is a better way than using .htacess.

Regarding setting HSTS in cPanel - there is no option.
I’m on a godaddy hosted site, using Apache.

If you can post the line of code and tell me which directory to place it, then I will try it out.

Maybe also adding redirects for each page will provide belt and braces :grinning:

I’m thinking of enabling ‘no indexing’ - default setting displays directory contents when no index.html is present.
Are there any downsides to ‘no indexing’?

I believe you can get blanket coverage for every page using

redirect permanent / https://www.example.com/

Certbot uses a different method involving mod_rewrite, which is more computationally intensive; I don't remember why at the moment.

Ha!
I tested:
redirect permenant /index.html https://example.com/index.html
(it needed forward slash before index I think)

Google Chrome displayed an error page, stating that my site had made too many redirects!

This needs to be limited to the VirtualHost that listens on port 80, not the one that listens on port 443.

Oh!

I don’t know how to set that up.
I’ll quickly try your suggested code in .htacess
I’ll know in a minute what is the result.

Same problem:
page isn’t working
ERR_TOO_MANY_REDIRECTS

The page only made one redirect.
Bizarre!

Okay; I think that I’ve sussed the problem, and the solution.

I am trialling a php logger.
So I can use it to re-direct the pages to https.
That will do it, I’m sure :slight_smile:

The .htaccess applies to all requests, so requests to https://www.example.com/ are getting redirected to https://www.example.com/. The browser will follow that redirection repeatedly until reaching its redirection limit.

so whats the problem?

It redirects to the https page.
Why should it keep redirecting?

I think that the best solution will be to rewrite every page link to be a full https url.

What application are you running ? many ( like wordpress ) have a default set in their config - which you need to change to https ( otherwise it could be redirecting to http … hence you have a loop )

Standard html web site.

I don’t understand 'the loop’
the .htacess instruction was to simply direct an off site linked visitor to the https page.

Why did this loop?

without your domain name and checking, it’s tricky to be certain. I suspect you have direct links ( or redirects) to http rather than https

try this
fuelmapper.com

instead of defaulting to https it defaults to http

I don’t see a redirect - https work OK - just all your links, within pages are generally to http so following a link takes you to a http page.

Yes, I can fix those.
But the first question was the entry page

When I added the .htacess redirect code (above) I got the too many redirects error.

I don’t understand what the problem was.

I can mod the .htacess file again, and you can try it.
give me a few seconds

It would depend what else is in your .htaccess.

Possibly use

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://fuelmapper.com/$1 [R,L]

If that doesnt work, let me know whats in your htaccess

2 Likes