HSTS and double redirect

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
7
down vote

favorite
1












I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.



I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:




Error: HTTP redirects to www first



http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now,
the first redirect is to https://www.example. The extra redirect is
required to ensure that any browser which supports HSTS will record
the HSTS entry for the top level domain, not just the subdomain.




So, I suppose I should redirect users this way:




  1. http://example (this is what the user enters in the address bar of his browser)


  2. https://example (we redirect him to the HTTPS version of the website)


  3. https://www.example (we redirect him again to the subdomain www)

My current redirect is done this way:



RewriteCond %SERVER_PORT 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


I tried to add a redirect before the last line, this way:



RewriteRule ^(.*)$ https://example.com/$1 [R,L]


but I got a "page isn't redirecting properly" error from the browser.



So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?










share|improve this question









New contributor




Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    7
    down vote

    favorite
    1












    I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.



    I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:




    Error: HTTP redirects to www first



    http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now,
    the first redirect is to https://www.example. The extra redirect is
    required to ensure that any browser which supports HSTS will record
    the HSTS entry for the top level domain, not just the subdomain.




    So, I suppose I should redirect users this way:




    1. http://example (this is what the user enters in the address bar of his browser)


    2. https://example (we redirect him to the HTTPS version of the website)


    3. https://www.example (we redirect him again to the subdomain www)

    My current redirect is done this way:



    RewriteCond %SERVER_PORT 80
    RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


    I tried to add a redirect before the last line, this way:



    RewriteRule ^(.*)$ https://example.com/$1 [R,L]


    but I got a "page isn't redirecting properly" error from the browser.



    So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?










    share|improve this question









    New contributor




    Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      7
      down vote

      favorite
      1









      up vote
      7
      down vote

      favorite
      1






      1





      I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.



      I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:




      Error: HTTP redirects to www first



      http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now,
      the first redirect is to https://www.example. The extra redirect is
      required to ensure that any browser which supports HSTS will record
      the HSTS entry for the top level domain, not just the subdomain.




      So, I suppose I should redirect users this way:




      1. http://example (this is what the user enters in the address bar of his browser)


      2. https://example (we redirect him to the HTTPS version of the website)


      3. https://www.example (we redirect him again to the subdomain www)

      My current redirect is done this way:



      RewriteCond %SERVER_PORT 80
      RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


      I tried to add a redirect before the last line, this way:



      RewriteRule ^(.*)$ https://example.com/$1 [R,L]


      but I got a "page isn't redirecting properly" error from the browser.



      So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?










      share|improve this question









      New contributor




      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I manage a little website in a shared hosting LAMP environment: this basically means the only thing I can edit is an htaccess file.



      I wanted to add HSTS support (and I did it), but, when I tested my website here for HSTS preload eligibility, I got the following error:




      Error: HTTP redirects to www first



      http://example (HTTP) should immediately redirect to https://example (HTTPS) before adding the www subdomain. Right now,
      the first redirect is to https://www.example. The extra redirect is
      required to ensure that any browser which supports HSTS will record
      the HSTS entry for the top level domain, not just the subdomain.




      So, I suppose I should redirect users this way:




      1. http://example (this is what the user enters in the address bar of his browser)


      2. https://example (we redirect him to the HTTPS version of the website)


      3. https://www.example (we redirect him again to the subdomain www)

      My current redirect is done this way:



      RewriteCond %SERVER_PORT 80
      RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


      I tried to add a redirect before the last line, this way:



      RewriteRule ^(.*)$ https://example.com/$1 [R,L]


      but I got a "page isn't redirecting properly" error from the browser.



      So, what's the proper way to redirect a user from the http version of the website to the https and finally to the https with www? And: are there any risks?







      .htaccess mod-rewrite redirect hsts






      share|improve this question









      New contributor




      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited yesterday









      HBruijn♦

      49.7k1079134




      49.7k1079134






      New contributor




      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked yesterday









      Ian Bell

      1384




      1384




      New contributor




      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Ian Bell is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          7
          down vote



          accepted










          As noted on the HSTS preload list submission requirements:




          1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.



          You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.




          I tried to add a redirect before the last line, this way:



          RewriteRule ^(.*)$ https://example.com/$1 [R,L]



          That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.



          Try something like the following instead:



          # HTTP to HTTPS redirect
          RewriteCond %SERVER_PORT 80
          RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]

          # Canonical www redirect
          RewriteCond %HTTP_HOST !^www.
          RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]


          The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).



          The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.



          Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.




          And: are there any risks?




          No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.





          RewriteCond %SERVER_PORT 80
          RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]



          Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).




          Further reading:



          • My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in .htaccess: https://webmasters.stackexchange.com/a/112264/52912





          share|improve this answer






















          • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
            – Ian Bell
            yesterday






          • 1




            Btw, your solution PERFECTLY works! :-)
            – Ian Bell
            yesterday






          • 1




            "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
            – MrWhite
            yesterday






          • 1




            This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
            – MrWhite
            yesterday






          • 1




            You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
            – MrWhite
            yesterday










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Ian Bell is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f930368%2fhsts-and-double-redirect%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          7
          down vote



          accepted










          As noted on the HSTS preload list submission requirements:




          1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.



          You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.




          I tried to add a redirect before the last line, this way:



          RewriteRule ^(.*)$ https://example.com/$1 [R,L]



          That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.



          Try something like the following instead:



          # HTTP to HTTPS redirect
          RewriteCond %SERVER_PORT 80
          RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]

          # Canonical www redirect
          RewriteCond %HTTP_HOST !^www.
          RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]


          The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).



          The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.



          Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.




          And: are there any risks?




          No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.





          RewriteCond %SERVER_PORT 80
          RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]



          Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).




          Further reading:



          • My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in .htaccess: https://webmasters.stackexchange.com/a/112264/52912





          share|improve this answer






















          • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
            – Ian Bell
            yesterday






          • 1




            Btw, your solution PERFECTLY works! :-)
            – Ian Bell
            yesterday






          • 1




            "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
            – MrWhite
            yesterday






          • 1




            This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
            – MrWhite
            yesterday






          • 1




            You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
            – MrWhite
            yesterday














          up vote
          7
          down vote



          accepted










          As noted on the HSTS preload list submission requirements:




          1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.



          You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.




          I tried to add a redirect before the last line, this way:



          RewriteRule ^(.*)$ https://example.com/$1 [R,L]



          That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.



          Try something like the following instead:



          # HTTP to HTTPS redirect
          RewriteCond %SERVER_PORT 80
          RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]

          # Canonical www redirect
          RewriteCond %HTTP_HOST !^www.
          RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]


          The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).



          The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.



          Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.




          And: are there any risks?




          No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.





          RewriteCond %SERVER_PORT 80
          RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]



          Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).




          Further reading:



          • My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in .htaccess: https://webmasters.stackexchange.com/a/112264/52912





          share|improve this answer






















          • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
            – Ian Bell
            yesterday






          • 1




            Btw, your solution PERFECTLY works! :-)
            – Ian Bell
            yesterday






          • 1




            "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
            – MrWhite
            yesterday






          • 1




            This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
            – MrWhite
            yesterday






          • 1




            You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
            – MrWhite
            yesterday












          up vote
          7
          down vote



          accepted







          up vote
          7
          down vote



          accepted






          As noted on the HSTS preload list submission requirements:




          1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.



          You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.




          I tried to add a redirect before the last line, this way:



          RewriteRule ^(.*)$ https://example.com/$1 [R,L]



          That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.



          Try something like the following instead:



          # HTTP to HTTPS redirect
          RewriteCond %SERVER_PORT 80
          RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]

          # Canonical www redirect
          RewriteCond %HTTP_HOST !^www.
          RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]


          The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).



          The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.



          Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.




          And: are there any risks?




          No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.





          RewriteCond %SERVER_PORT 80
          RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]



          Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).




          Further reading:



          • My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in .htaccess: https://webmasters.stackexchange.com/a/112264/52912





          share|improve this answer














          As noted on the HSTS preload list submission requirements:




          1. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.



          You need to redirect to the same host (ie. HTTP_HOST), not simply to example.com first. You don't need to redirect to example.com if the user is requesting www.example.com directly. (The test will involve a request to example.com.) After that you can redirect to the canonical www subdomain if required.




          I tried to add a redirect before the last line, this way:



          RewriteRule ^(.*)$ https://example.com/$1 [R,L]



          That would create a redirect loop, because the preceding RewriteCond directive only applies to the first RewriteRule, so the second RewriteRule would run unconditionally.



          Try something like the following instead:



          # HTTP to HTTPS redirect
          RewriteCond %SERVER_PORT 80
          RewriteRule (.*) https://%HTTP_HOST/$1 [R,L]

          # Canonical www redirect
          RewriteCond %HTTP_HOST !^www.
          RewriteRule (.*) https://www.%HTTP_HOST/$1 [R,L]


          The HTTP_HOST server variable contains the value of the Host HTTP request header (ie. whatever host is being requested).



          The 2nd redirect states... for all requests where the requested host does not start www. then prefix www. to the host. However, this might not be acceptable if you have multiple subdomains (that resolve to the same place) you want to keep separate, as they will naturally be redirected to the www subdomain.



          Note that these are 302 (temporary) redirects. Change to 301 only when you are sure it's working OK.




          And: are there any risks?




          No risks. Yes, there are potentially two redirects whereas previously there might have only been one (which is arguably less efficient). But there are still only two redirects, which is perfectly OK for SEO. Besides, with HSTS, the user-agent will only ever experience the double redirect at most once.





          RewriteCond %SERVER_PORT 80
          RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]



          Aside: (Ignoring HSTS for the moment...) This wouldn't have been complete by itself, as it doesn't canonicalise a request for https://example.com/... (ie. HTTPS and domain apex).




          Further reading:



          • My answer to a related question on Pro Webmasters SE that goes into more detail about implementing HSTS in .htaccess: https://webmasters.stackexchange.com/a/112264/52912






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 20 hours ago

























          answered yesterday









          MrWhite

          4,77221323




          4,77221323











          • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
            – Ian Bell
            yesterday






          • 1




            Btw, your solution PERFECTLY works! :-)
            – Ian Bell
            yesterday






          • 1




            "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
            – MrWhite
            yesterday






          • 1




            This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
            – MrWhite
            yesterday






          • 1




            You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
            – MrWhite
            yesterday
















          • Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
            – Ian Bell
            yesterday






          • 1




            Btw, your solution PERFECTLY works! :-)
            – Ian Bell
            yesterday






          • 1




            "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
            – MrWhite
            yesterday






          • 1




            This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
            – MrWhite
            yesterday






          • 1




            You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
            – MrWhite
            yesterday















          Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
          – Ian Bell
          yesterday




          Thank you very much, I'll test it soon. A quick reply to the final Aside: that one works anyway but it looks like it is something I can't directly control (not in the htaccess file, at least: there's a redirect panel in the hosting provider website manager)
          – Ian Bell
          yesterday




          1




          1




          Btw, your solution PERFECTLY works! :-)
          – Ian Bell
          yesterday




          Btw, your solution PERFECTLY works! :-)
          – Ian Bell
          yesterday




          1




          1




          "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
          – MrWhite
          yesterday




          "redirect panel in the hosting provider website manager" - I would always be wary of such tools. For example, the redirects section in cPanel is very limited and rather notorious.
          – MrWhite
          yesterday




          1




          1




          This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
          – MrWhite
          yesterday




          This depends on how you are setting the Strict-Transport-Security response header. For example, to set this on the redirect you'll need to use the always argument on the Header directive. I answered a related question on the Pro Webmasters stack (skip the first part of my answer about on/off) which goes into more detail about implementing "HSTS preload" in .htaccess.
          – MrWhite
          yesterday




          1




          1




          You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
          – MrWhite
          yesterday




          You're welcome. To be honest, the Pro Webmasters stack is probably more suited to .htaccess-only related questions (ServerFault assumes you have full control of the server, in which case you wouldn't be doing this in .htaccess). It is arguably easier to implement this in the server config using separate <VirtualHost> containers (since you don't need to mess with env vars and additional conditions - it's "cleaner" and less prone to error). I don't think I would recommend "preload list" submission if you only have access to .htaccess. (My 2c)
          – MrWhite
          yesterday










          Ian Bell is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Ian Bell is a new contributor. Be nice, and check out our Code of Conduct.












          Ian Bell is a new contributor. Be nice, and check out our Code of Conduct.











          Ian Bell is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f930368%2fhsts-and-double-redirect%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke