What's correct htaccess rule to redirect mixed content to HTTPS

Question

Is there a way with htaccess redirect conditions and redirects to catch content called over HTTP when the site is accessed via HTTPS?

Such that http content will be redirected to the https equivalent url if the site is accessed over HTTPS?

Essentially I'd like a automated way to mop up and deal with mixed content when my site is accessed via HTTPS.

So far the following fixed all .css and .js files being called over HTTP when site is accessed through HTTPS.

RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]

But for some reason this does not redirect requests for images (for instance) on my site being called through HTTP during an HTTPS session.

I also tried this rule,

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

but that didn't redirect the images either.

I figure there must be a way to test if connection is over HTTPS, then rewrite any http:// urls to an https:// equivalent. I am just not sure how to formula the rules correctly.

Answer 1

This won't work.

The browser will see the http request and mark the page as containing insecure content. And rightly so as the request will be made over http, and then redirected to https. So it is insecure because of that.

What you want to do is use Content-Security-Policy to ask the web browser to update the request when it loads the page

Header always set Content-Security-Policy: upgrade-insecure-requests

See here for more info: https://www.w3.org/TR/upgrade-insecure-requests/

Note browser support is mixed for this: https://caniuse.com/upgradeinsecurerequests

Answer 2

If you can enable Mode Headers then you can add this code to .htaccess or host config file:

<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

You can enable Mode Header using below command in Ubunto:

a2enmod headers
apache2 -k graceful

In case you couln't able to edit .htaccess or enabling mode headers then you can put below line in HTML header between <head>...</head>:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Answer 3

Essentially I'd like a automated way to mop up and deal with mixed content when my site is accessed via HTTPS.

Redirecting the traffic from HTTP to HTTPS is a recommended approach, but please note that will not fix the mixed content error.

In fact, browsers will display the error in any case if you load an insecure resource from a secure page, regardless if the resource is redirected to a secure page.

In other words, if page index.html loads https://example.com/logo.png, and http://example.com/logo.png redirects to https://example.com/logo.png, the browser will still display a mixed content warning. The reason is because the first request from the secure page is in any case sent to the insecure address in order to fetch the response (and in this case detect the redirect).

That said, in order to redirect from HTTP to HTTPS you can use the rule

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Instead, the only way to fix the mixed security error is to change the content of your pages (or the app/framework/whatever you use to create them) to point to the secure versions of the resources you embed/load/reference, of course assuming the resources can be reached at a secure server.

Answer 4

Wouldn't this work:

  RewriteEngine On 
  RewriteCond %{SERVER_PORT} 80 
  RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Just put it before any other rules you have

Also the condition may be changed to

 RewriteCond %{SERVER_PORT} !^443$