Redirecting HTTP to HTTPS Using .htaccess File

Chrome and Firefox have started showing insecure warnings to the visitors on websites without SSL certificates. Therefore, using an SSL-encrypted connection for safety, accessibility or PCI compliance reasons is necessary. For SSL-encryption, buy SSL certificates and install them to your websites.

But, installing SSL certificates will not show secure, you should also redirect all your HTTP traffic to HTTPS. In order to force your web traffic to use HTTPS, edit the codes in the .htaccess file. Before we move onto redirecting HTTP to HTTPS, here’s how you can edit .htaccess file. If you already know skip to Redirection steps.

Editing .htaccess File

There are instructions/directives in the .htaccess file that tell the server how to act in certain scenarios and directly affects how your website functions. Common directives in .htaccess file:

  • Redirects
  • Rewriting URLs

Ways to edit an .htaccess file:

  1. Edit the file on your computer and upload it to the server using FTP.
  2. Use “Edit” mode in FTP program that allows you to edit a file remotely.
  3. Use a text editor and SSH to edit the file.
  4. Use the File Manager in cPanel to edit the file.

Editing .htaccess in cPanel File Manager

Note: Backup your website in case something goes wrong.

  1. Login to cPanel
  2. Files > File Manager > Document Root for:
  3. Now select the domain name you want to access
  4. Check “Show Hidden Files (dotfiles)”
  5. Click “Go”
  6. After a new tab or window opens, look for the .htaccess file.
  7. Right click on the .htaccess file and click on “Code Edit” on the menu.
  8. A dialogue box may pop up asking about encoding. Click “Edit” button to continue.
  9. Edit the file
  10. “Save Changes” when done.
  11. Test your website to make sure it is done correctly. In case, there is an error, restore to the previous version and try again.
  12. Once you are done, click “Close” to close the window.

Redirecting HTTP to HTTPS

1. Redirect All Web Traffic

If you have existing code in your .htaccess, add the following:

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

2. Redirect Only a Specific Domain

For redirecting a specific domain to use HTTPS, add the following:

RewriteEngine On RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

3. Redirect Only a Specific Folder

Redirecting to HTTPS on a specific folder, add the following:

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} folder RewriteRule ^(.*)$ https://www.yourdomain.com/folder/$1 [R,L]

Note: Replace “yourdomain” with your actual domain name wherever required. Also, in case of the folder, replace /folder with the actual folder name.

Think it was useful? Share this article to help them come on HTTPS

SPF Record & Outgoing mails

SPF record is used to accurately calculate the reputations of envelope-sender domains and mailservers by mailbox-providers. It works as follows: If many users flag emails as spam from example.com, then SPF allows the mailbox-provider to more accurately say that, “examplea.com is a spammer”, because the SPF record of example.com is used to identify it as a spam. Conversely, if any user flag spoofed email as spam from example.com, then SPF allows the mailbox-providers to maintain the good reputation for example.com and makes the email flow normal. So, we should always use SPF to make spam filtering more accurate.

SPF record is used to accurately calculate the reputations of envelope-sender domains and mailservers by mailbox-providers. It works as follows: If many users flag emails as spam from example.com, then SPF allows the mailbox-provider to more accurately say that, “example.com is a spammer”, because the SPF record of example.com is used to identify it as a spam. Conversely, if any user flag spoofed email as spam from example.com, then SPF allows the mailbox-providers to maintain the good reputation for example.com and makes the email flow normal. So, we should always use SPF to make spam filtering more accurate.

As a PHP developer, everyone familiars with the PHP mail (http://php.net/manual/en/function.mail.php) function, which is used for sending emails. But, one can’t send email using SMTP authentication using this mail function. This makes most outgoing emails caught by spam-filters because of the SPF (Sender Policy Framework) check.

An important thing about SPF is that, it only performs checks on the envelope sender (Return-Path header), not on the user-visible from header. You can read about this at http://www.openspf.org/FAQ/Envelope_from_scope.

In most of the application, we use PHP’s mail function. If we check the outgoing mail header sent using the mail function, we can see that the envelope sender (Return-Path header) is a common address of the server or localhost even if you provide the From header of your domain to the mail.

So, when SPF checks performed by mailserver, it checks only the envelope sender which is a common address of the server or localhost and ignoring the from address, which is a genuine email address of the domain. So, our SPF record will be ignored. And, the server may not have an SPF record. In such case mail server detect a softfail. If you notice in Gmail, it identifies such softfail with phrase “best guess record”. Gmail uses a heuristic system to create best-guess SPF records for domains that don’t use SPF. For more details, go to http://www.ceas.cc/2006/19.pdf

As Gmail is using a best-guess records for server/domains that don’t have an SPF record, this guess is sometimes wrong, which cause a softfail. If your mail is being routed through a new mailserver, which may not add to the best-guess SPF records by Gmail, then we can see the softfail disappear after a while.

There is some basic solution to avoid softfails due to SPF record.

One solution would be to use SMTP mailer instead of PHP’s simple mail function. There are many SMTP mailer classes available free, like PHPMailer. SMTP mailer is directly talking to the mail server, so it can set the envelope-sender to be same as the From address. You can also specify the envelope-sender while using SMTP mailer.

Alternatively, we can also use Google’s SMTP (smtp.google.com) to send outgoing mails using Google’s username and password. In this case, we have to simplify our SPF record to identify Google by adding “include:_spf.google.com ~all”.

But, if we have already used a PHP’s mail function throughout the application, and switching to SMTP mailer requires so much time and effort, we can still set an envelope-sender using PHP’s mail function. To set the envelope-sender, use sendmail’s -f/-F command as a fifth additional-options parameter of the PHP’s mail function.

PHP Code:

mail("user@example.com",  "test subject",  "test message",  $headers,  "-F 'Example  Envelope-sender' -f returnpath@example.com");

We can use any of domain email addresses or from address instead of returnpath@example.com in the above code snippet.

There may be other solutions to achieve this. The key is to set the envelope-sender (Return-Path) to the email address of the domain.