HSTS and double redirect
Clash Royale CLAN TAG#URR8PPP
up vote
8
down vote
favorite
I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.
I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:
Error: HTTP redirects to www first
http://example(HTTP) should immediately redirect tohttps://example(HTTPS) before adding the www subdomain. Right now,
the first redirect is tohttps://www.example.The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.
So, I suppose I should redirect users this way:
http://example(this is what the user enters in the address bar of his browser)https://example(we redirect him to the HTTPS version of the website)https://www.example(we redirect him again to the subdomain www)
My current redirect is done this way:
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
but I got a "page isn't redirecting properly" error from the browser.
So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?
.htaccess mod-rewrite redirect hsts
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
add a comment |Â
up vote
8
down vote
favorite
I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.
I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:
Error: HTTP redirects to www first
http://example(HTTP) should immediately redirect tohttps://example(HTTPS) before adding the www subdomain. Right now,
the first redirect is tohttps://www.example.The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.
So, I suppose I should redirect users this way:
http://example(this is what the user enters in the address bar of his browser)https://example(we redirect him to the HTTPS version of the website)https://www.example(we redirect him again to the subdomain www)
My current redirect is done this way:
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
but I got a "page isn't redirecting properly" error from the browser.
So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?
.htaccess mod-rewrite redirect hsts
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
add a comment |Â
up vote
8
down vote
favorite
up vote
8
down vote
favorite
I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.
I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:
Error: HTTP redirects to www first
http://example(HTTP) should immediately redirect tohttps://example(HTTPS) before adding the www subdomain. Right now,
the first redirect is tohttps://www.example.The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.
So, I suppose I should redirect users this way:
http://example(this is what the user enters in the address bar of his browser)https://example(we redirect him to the HTTPS version of the website)https://www.example(we redirect him again to the subdomain www)
My current redirect is done this way:
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
but I got a "page isn't redirecting properly" error from the browser.
So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?
.htaccess mod-rewrite redirect hsts
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.
I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:
Error: HTTP redirects to www first
http://example(HTTP) should immediately redirect tohttps://example(HTTPS) before adding the www subdomain. Right now,
the first redirect is tohttps://www.example.The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.
So, I suppose I should redirect users this way:
http://example(this is what the user enters in the address bar of his browser)https://example(we redirect him to the HTTPS version of the website)https://www.example(we redirect him again to the subdomain www)
My current redirect is done this way:
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
but I got a "page isn't redirecting properly" error from the browser.
So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?
.htaccess mod-rewrite redirect hsts
.htaccess mod-rewrite redirect hsts
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
edited Sep 11 at 7:33
HBruijn♦
50.4k1082136
50.4k1082136
asked Sep 11 at 7:19
Ian Bell
1434
asked Sep 11 at 7:19
Ian Bell
1434
asked Sep 11 at 7:19
Ian Bell
1434
1434
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
8
down vote
accepted
As noted on the HSTS preload list submission requirements:
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.
Try something like the following instead:
# HTTP to HTTPS redirect
RewriteCond %SERVER_PORT 80
RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]
# Canonical www redirect
RewriteCond %HTTP_HOST !^www.
RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]
The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).
The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.
Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
And: are there any risks?
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).
Further reading:
- My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in
.htaccess: https://webmasters.stackexchange.com/a/112264/52912
answered Sep 11 at 7:46
MrWhite
5,06221424
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
This depends on how you are setting theStrict-Transport-Securityresponse header. For example, to set this on the redirect you'll need to use thealwaysargument on theHeaderdirective. I answered a related question on the Pro Webmasters stack (skip the first part of my answer abouton/off) which goes into more detail about implementing "HSTS preload" in.htaccess.
– MrWhite
Sep 11 at 13:57
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in.htaccess). It is arguably easier to implement this in the server config using separate<VirtualHost>containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to.htaccess. (My 2c)
– MrWhite
Sep 11 at 14:36
 |Â
show 4 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
8
down vote
accepted
As noted on the HSTS preload list submission requirements:
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.
Try something like the following instead:
# HTTP to HTTPS redirect
RewriteCond %SERVER_PORT 80
RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]
# Canonical www redirect
RewriteCond %HTTP_HOST !^www.
RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]
The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).
The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.
Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
And: are there any risks?
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).
Further reading:
- My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in
.htaccess: https://webmasters.stackexchange.com/a/112264/52912
answered Sep 11 at 7:46
MrWhite
5,06221424
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
This depends on how you are setting theStrict-Transport-Securityresponse header. For example, to set this on the redirect you'll need to use thealwaysargument on theHeaderdirective. I answered a related question on the Pro Webmasters stack (skip the first part of my answer abouton/off) which goes into more detail about implementing "HSTS preload" in.htaccess.
– MrWhite
Sep 11 at 13:57
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in.htaccess). It is arguably easier to implement this in the server config using separate<VirtualHost>containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to.htaccess. (My 2c)
– MrWhite
Sep 11 at 14:36
 |Â
show 4 more comments
up vote
8
down vote
accepted
As noted on the HSTS preload list submission requirements:
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.
Try something like the following instead:
# HTTP to HTTPS redirect
RewriteCond %SERVER_PORT 80
RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]
# Canonical www redirect
RewriteCond %HTTP_HOST !^www.
RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]
The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).
The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.
Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
And: are there any risks?
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).
Further reading:
- My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in
.htaccess: https://webmasters.stackexchange.com/a/112264/52912
answered Sep 11 at 7:46
MrWhite
5,06221424
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
This depends on how you are setting theStrict-Transport-Securityresponse header. For example, to set this on the redirect you'll need to use thealwaysargument on theHeaderdirective. I answered a related question on the Pro Webmasters stack (skip the first part of my answer abouton/off) which goes into more detail about implementing "HSTS preload" in.htaccess.
– MrWhite
Sep 11 at 13:57
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in.htaccess). It is arguably easier to implement this in the server config using separate<VirtualHost>containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to.htaccess. (My 2c)
– MrWhite
Sep 11 at 14:36
 |Â
show 4 more comments
up vote
8
down vote
accepted
up vote
8
down vote
accepted
As noted on the HSTS preload list submission requirements:
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.
Try something like the following instead:
# HTTP to HTTPS redirect
RewriteCond %SERVER_PORT 80
RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]
# Canonical www redirect
RewriteCond %HTTP_HOST !^www.
RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]
The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).
The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.
Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
And: are there any risks?
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).
Further reading:
- My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in
.htaccess: https://webmasters.stackexchange.com/a/112264/52912
answered Sep 11 at 7:46
MrWhite
5,06221424
As noted on the HSTS preload list submission requirements:
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.
Try something like the following instead:
# HTTP to HTTPS redirect
RewriteCond %SERVER_PORT 80
RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]
# Canonical www redirect
RewriteCond %HTTP_HOST !^www.
RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]
The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).
The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.
Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
And: are there any risks?
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).
Further reading:
- My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in
.htaccess: https://webmasters.stackexchange.com/a/112264/52912
answered Sep 11 at 7:46
MrWhite
5,06221424
edited Sep 12 at 9:26
answered Sep 11 at 7:46
MrWhite
5,06221424
answered Sep 11 at 7:46
MrWhite
5,06221424
answered Sep 11 at 7:46
MrWhite
5,06221424
5,06221424
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
This depends on how you are setting theStrict-Transport-Securityresponse header. For example, to set this on the redirect you'll need to use thealwaysargument on theHeaderdirective. I answered a related question on the Pro Webmasters stack (skip the first part of my answer abouton/off) which goes into more detail about implementing "HSTS preload" in.htaccess.
– MrWhite
Sep 11 at 13:57
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in.htaccess). It is arguably easier to implement this in the server config using separate<VirtualHost>containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to.htaccess. (My 2c)
– MrWhite
Sep 11 at 14:36
 |Â
show 4 more comments
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
This depends on how you are setting theStrict-Transport-Securityresponse header. For example, to set this on the redirect you'll need to use thealwaysargument on theHeaderdirective. I answered a related question on the Pro Webmasters stack (skip the first part of my answer abouton/off) which goes into more detail about implementing "HSTS preload" in.htaccess.
– MrWhite
Sep 11 at 13:57
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in.htaccess). It is arguably easier to implement this in the server config using separate<VirtualHost>containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to.htaccess. (My 2c)
– MrWhite
Sep 11 at 14:36
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
– Ian Bell
Sep 11 at 8:10
1
1
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
Btw, your solution PERFECTLY works! :-)
– Ian Bell
Sep 11 at 8:19
1
1
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
"redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
– MrWhite
Sep 11 at 10:02
1
1
This depends on how you are setting the
Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.– MrWhite
Sep 11 at 13:57
This depends on how you are setting the
Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.– MrWhite
Sep 11 at 13:57
1
1
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to
.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)– MrWhite
Sep 11 at 14:36
You're welcome. To be honest, the Pro Webmasters stack is probably more suited to
.htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)– MrWhite
Sep 11 at 14:36
 |Â
show 4 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f930368%2fhsts-and-double-redirect%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
