9

I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.

I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:

Error: HTTP redirects to www first

http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.example. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

So, I suppose I should redirect users this way:

  1. http://example (this is what the user enters in the address bar of his browser)
  2. https://example (we redirect him to the HTTPS version of the website)
  3. https://www.example (we redirect him again to the subdomain www)

My current redirect is done this way:

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

I tried to add a redirect before the last line, this way:

RewriteRule ^(.*)$ https://example.com/$1 [R,L]

but I got a "page isn't redirecting properly" error from the browser.

So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?

HBruijn
  • 72,524
  • 21
  • 127
  • 192

1 Answers1

10

As noted on the HSTS preload list submission requirements:

  1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.

I tried to add a redirect before the last line, this way:

RewriteRule ^(.*)$ https://example.com/$1 [R,L]

That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.

Try something like the following instead:

# HTTP to HTTPS redirect
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]

# Canonical www redirect
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R,L]

The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).

The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.

Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.

And: are there any risks?

No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).

Further reading:

Community
  • 1
MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager) –  Sep 11 '18 at 08:10
  • 1
    Btw, your solution PERFECTLY works! :-) –  Sep 11 '18 at 08:19
  • 1
    "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious. – MrWhite Sep 11 '18 at 10:02
  • I found the panel when I started asking myself WHY redirects were "misbehaving": they weren't! There was something invisible set up at the panel level :-) –  Sep 11 '18 at 10:04
  • it happens something strange (maybe I'll post another question): now (hsts preload website) I get 'Response error: No HSTS header is present on the response'. I verified and it is true: the first request has no security header, the second one is ok. This thing "confuses" the Mozilla Observatory test too (I filed a bug) because they say anything is ok with hsts header –  Sep 11 '18 at 13:22
  • 1
    This depends on how you are setting the `Strict-Transport-Security` response header. For example, to set this on the redirect you'll need to use the `always` argument on the `Header` directive. [I answered a related question on the Pro Webmasters stack](https://webmasters.stackexchange.com/a/112264/52912) (skip the first part of my answer about `on`/`off`) which goes into more detail about implementing "HSTS _preload_" in `.htaccess`. – MrWhite Sep 11 '18 at 13:57
  • And, once again, you were absolutely right. Thanks! –  Sep 11 '18 at 14:08
  • 1
    You're welcome. To be honest, the [Pro Webmasters stack](https://webmasters.stackexchange.com/) is probably more suited to `.htaccess`-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in `.htaccess`). It is arguably _easier_ to implement this in the server config using separate `` containers (since you don't need to mess with env vars and additional _conditions_ - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to `.htaccess`. (My 2c) – MrWhite Sep 11 '18 at 14:36