SSL redirection (forced) by the web server

ss88us

Afternoon,

One of the WordPress websites I have has Let's Encrypt enabled however, it's possible to browse this website via insecure HTTP too. I would like to suggest that there be a toggle under Security that when enabled redirects any insecure requests to secure requests at a server level.

Doing it at a server level is best practice for SEO.

I've not tested with the sub domain www but I imagine it might be able nice to have the option to pick wether you want to redirect www -> without www.

Please let me know if you need clarification on wording. I'll find a control panel example.

Adrien

I vote for this too. Here's is the Screenshot of how RC does it:

https://postimg.cc/pmW2Mq8v

ss88us

Adrien I've actually found it!

It's under Security -> SSL certificates -> Let's Encrypt (certificate) -> Edit -> Domain -> Force HTTPS

Personally, I think it should be under Security. My two-cents.

The www -> without www would be a nice addition though.

Adrien

[unknown] Ah well done thank you!

necrom

I think such functionality would need to vary depending on which web server you're running and then personally in the case of Apache I would like to see it work using mod_rewrite in a .htaccess/user-space rather than in the apache virtualhost/server-space. This is to avoid the common scenario where a customer and their developer has .htaccess implemented mods which are conflicting with control panel settings.

ss88us

necrom .htaccess is a good place too it's still 'technically' the web server level as it's read before it loads PHP, so rewrite rules here would work correctly.

Adam

At the moment this is done at a virtualhost level. This is to avoid the need to manipulate the website's .htaccess file. If the customer has a redirect (in their .htaccess or PHP code) which is the opposite of the "force https" redirect then this would indeed cause a loop but it should be simple enough to diagnose.