0

Apologies for what might be a newbie question -- hopong someone her can help.

Looking at our site (https://depressionforums.org/forums) speed metrics (e.g. gtmetrix) one of our main issues is landing page redirects, which are primarily used to direct traffic from http to https.

To achieve this we use the following .htaccess rules:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

However, I'm wondering if there is a more efficient/eloquent way in which we can do this that might avoid the landing page redirects, at least for http --> https?

Thanks in advance for any advice.

[Edit: This is a dedicated server, so we do have access to httpd.conf, etc.)

InsanityScreams
  • 1
  • 2
  • 2
    Consider deploying [Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security). This informs the browser, "hey, from now on, just assume this site should always be accessed with HTTPS" so no redirect even happens after the initial one. Use this with some caution, and please give a good read about it if you're interested. – vcsjones Jun 23 '17 at 13:30
  • I would suggest [there are far tidier ways of writing](https://stackoverflow.com/questions/13376219/htaccess-redirect-http-to-https) your rewrite code exampled. – Martin Jun 23 '17 at 13:41
  • 1
    There is no reason not to use HTTPS, if it's available. Ever. – Martin Jun 23 '17 at 13:41

1 Answers1

0

Use HSTS with the preload option:

  • After the visits of any webpage of your webpage with the HSTS header, the browser will automatically use https instead of http
  • If you are preloaded in browsers, even the first request will automatically be https even if the users did write http://yourwebsite.com : https://hstspreload.org/
Tom
  • 4,666
  • 2
  • 29
  • 48