I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.
I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:
Error: HTTP redirects to www first
http://example
(HTTP) should immediately redirect tohttps://example
(HTTPS) before adding the www subdomain. Right now,
the first redirect is tohttps://www.example.
The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.
So, I suppose I should redirect users this way:
http://example
(this is what the user enters in the address bar of his browser)https://example
(we redirect him to the HTTPS version of the website)https://www.example
(we redirect him again to the subdomain www)
My current redirect is done this way:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
I tried to add a redirect before the last line, this way:
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
but I got a "page isn't redirecting properly" error from the browser.
So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?
Best Answer
As noted on the HSTS preload list submission requirements:
You need to redirect to the same host (ie.
HTTP_HOST
), not simply toexample.com
first. You don't need to redirect toexample.com
if the user is requestingwww.example.com
directly. (The test will involve a request toexample.com
.) After that you can redirect to the canonical www subdomain if required.That would create a redirect loop, because the preceding
RewriteCond
directive only applies to the firstRewriteRule
, so the secondRewriteRule
would run unconditionally.Try something like the following instead:
The
HTTP_HOST
server variable contains the value of theHost
HTTP request header (ie. whatever host is being requested).The 2nd redirect states... for all requests where the requested host does not start
www.
then prefixwww.
to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.
No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.
Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for
https://example.com/...
(ie. HTTPS and domain apex).Further reading:
.htaccess
: https://webmasters.stackexchange.com/a/112264/52912