HTTP to HTTPS Redirect

Hi Everyone,

I ran a security check out of curiosity for my website, worldreviewgroup.com, after discovering a site called sucuri.net. I’m not sure how much attention I should pay to this, but here goes. :dizzy_face:

It spit a couple of warnings back at me, saying that my site is at a medium level of security risk.
I’m uploading a screenshot of the recommendation on redirecting http:// to https:// below.

I’m assuming this may have already been discussed here, but how do I go about making a redirect to https:// ?

Thanks in advance.

-ty :smashy:

Hi,
By using SSL certificate.

There are two primary reasons you should consider securing your website with SSL certificate.

  1. Security – to ensure sensitive data is encrypted from user browser to the web server or network edge. Having SSL also give some trust to the visitor that your website is secure.
  2. SEO – HTTPS is a new ranking signal, and the big boss is watching you so don’t be behind in the race.
    If you want further guidance visit once: https://geekflare.com/http-to-https-redirection/

Given that you already have an SSL certificate, you should ensure it is used by redirecting to that version. You should also decide whether or not you want to use the www. version of the domain and redirect to the preferred version, to avoid search engines regarding the two variants as different pages.

So would you like to redirect to https://worldreviewgroup.com/ or https://www.worldreviewgroup.com/?

1 Like

This can be resolved by purchasing a SSL certificate from your web hosting company. Having SSL prevents man in the middle attacks making your website secure and trustworthy to the users. Also Https is one of google’s ranking factor. It will help you rank better on search results pages.

It has already been made clear the OP has an SSL certificate. Please ensure you read ALL the posts before posting in future.

1 Like

Hi again, @TechnoBear ! :wave:

Without any knowledge of SSL or if there is any difference whatsoever by foregoing the www., I would like it to redirect to https://www.worldreviewgroup.com. I have been uncovering two possible ways of doing this: editing the .htaccess file on the server or using a server-side PHP script.

…and I have no understanding that if said https:// redirect even provides any benefits. :confused:
…but this security checkup listed this redirect as a recommendation. Its effect may be very trivial for this particular website as I do not sell any products directly or collect vitally sensitive information from visitors.

Off-topic remark: I have read previously that SSL can be compromised. That’s probably not even worth any discussion in this thread, however.

I use this .htaccess method:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.domain\.org$
RewriteRule .? http://www.domain.org%{REQUEST_URI} [R=301,L]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .? https://www.domain.org%{REQUEST_URI} [R,L]

(Credit to @gandalf458 in this post: https://www.sitepoint.com/community/t/ssl-www-htaccess/305286/2.)

Using https provides added security, and Google encourages sites to use it. https://support.google.com/webmasters/answer/6073543?hl=en

As you already have the SSL certificate installed, why wouldn’t you want to ensure it’s used?

1 Like

Close, but not quite there yet

Why redirect to http at all? Why not to https directly?

That should be R=301 as well, to indicate to search engines it has permanently moved, not just temporarily (which is the default).

For even more security, you should add HTTP Strict Transport Security headers. See https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

2 Likes

Great post, @rpkamp, but now I’m suffering from novice confusion. :blush:

I have no clue how to amend what @TechnoBear posted in order to make the change to https directly. Although, it does seem simple enough to only use R=301.

secondary security measure – HTTP Strict Transport
Then, I visited your website that you linked and carefully read it. After browsing all the files available to me on my web server, there was not a file folder named apache2 in the etc\ folder anywhere, and there certainly was not a website.conf file (that I have found thus far). With regard to the NGINX implementation (which I believe my web host does use as a server platform), again, I don’t know where the server block for https configuration is located. It would seem that I lack the pre-requisite knowledge to come to a level of comprehension of your contribution and the location of the files in order to add in this HTTPS Strict Transport measure. The only relevant file location I know so far is .htaccess.

In brainstorming, I came up with this Apache directive code (first time ever delving into this type of server config stuff):

.htaccess:

# Use PHP5.4 as default
AddHandler application/x-httpd-ea-php70 .php

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .? https://www.worldreviewgroup.com%{REQUEST_URI} [R=301,L]

Will this suffice? :pray:
It seems to load https://www.worldreviewgroup.com ! I think I did it! :weight_lifting_man:
…but now it has broken my other domain, firstratefreight.net. Pooey :poop: Everything gets redirected back to the worldreviewgroup.com page.

If you would elaborate on this HTTP Strict Transport and where I might find the necessary files as listed in your website, I might be able to figure that out, too.

Well, I did get the HTTPS redirect to work on both domains with the code above, so that’s good.

…but you’ve piqued my interest in the HTTP Strict Transport Security, and I have found no such location of the Apache config files in the tutorial you linked - the one that handles the Virtual Host.

I’ve checked almost every subdirectory on the web server.
Here’s what the main level looks like:
files

Where do you suppose the appropriate file is?

From memory because I am using a tablet at the moment…

Try looking in the following directory.

/etc/Apache2/

Please also note that the latest Apache2 versions changed the file names and may not have a httpd file.

Edit:
I just noticed that Here’s what the main level looks like: is not the main/root Linux directory but a sub-directory set by your hosting provider. The directory I specified may not contain the relevant files.

1 Like

Your edit is accurate, John.

The etc folder does not have an Apache2 subdirectory.

Perhaps, I should just contact the web host, and they might be able to tell me?
I’ve found no httpd files whatsoever.

Linux has a search facility that if it has not been disabled will show the path, etc

locate httpd

No results for httpd.

I did find webalizer.conf, but after analyzing it, I don’t think it is the desired file for HSTS.
I will contact the web host tomorrow for more information.

1 Like

Or invest in a VPS for about $5.00 USD per month - price of a large cappuccino? :slight_smile:

Contracts can usually be cancelled anytime before the first month is complete.

Free Domains are available to test your new setup without having to compromise your existing online we pages.

If interested in HSTS, I would look at the site https://hstspreload.org. This site allows you to submit a domain to be preloaded into browsers for https only requests. Entering the domain will tell you what needs to be done to meet the requirements.

This can be done in the .htaccess file assuming the server mod_headers enabled.
HSTS preload requires that the redirects to https occur directly for the same domain. For example from http://worldreviewgroup.com/ to https://worldreviewgroup.com/. and from http://www… too https://www

One warning is don’t add the preload attribute until you are completely sure this works for your site. Once this is added, anyone can submit the request to have the domain added to the list that browsers use and all requests from these browsers will then use https only for this domain.

As for the settings, I unfortunately don’t have an example handy that I used before. But search for “hsts .htaccess” came up with the following example that looks good.

<IfModule mod_headers.c> 
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" 
</IfModule>
1 Like

Amazing contribution, @skycar87 ! Wow!

Sorry for my tardy response. I had some things come up that required my urgent attention.

Okay, so, here is what my .htaccess file looks like currently:

# Use PHP5.4 as default
AddHandler application/x-httpd-ea-php70 .php

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .? https://worldreviewgroup.com%{REQUEST_URI} [R=301,L]

<IfModule mod_headers.c> 
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" 
</IfModule>

That HSTS preload site spat back an error at me to remove the www in the redirect.
The current error this site reports back to me has to do with the max-age of my site.
I’m thoroughly unprepared to say if this means HSTS is incompatible with my site, but here is what it says:


This website is about 5 years old.
What header is max-age ? …and what is the header ? The <head> tag of the HTML markup ?
I’m simply lost at sea on this issue; whereas, I’m beginning to be self-sufficient in HTML / CSS. :rofl:

-ty :smashy:

Dumb response by me… :stuck_out_tongue:
I changed your <IfModule> max-age to the figure desired by the preload site, and it returned successfully without any errors.
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

It says worldreviewgroup.com is eligible for HSTS preload but is asking me to confirm that I’m the owner of the site in order to be added to the preload list. I’m assuming now is a good time to move forward.

Although, I would like to garner more knowledge as to what I’m doing. I will re-read @rpkamp 's page on the types of attacks this preload will counter. Right now, I’m going on that this makes the site more secure, and the preload site evaluated it from red (bad :x: ) to green (good :white_check_mark: ). The HSTS preload site says that, despite the includeSubDomains bit in the htaccess code, this eliminates any subdomains without a valid SSL certificate (…but I don’t have any subdomains and will not likely have any for this site).

success%20pending

www. Is a sub- domain.

With regard to HSTS, I tested about five of the top internet companies and noticed very few confirmed to the standard.

1 Like