For a simplified version of this tutorial, see Getting Started - HTTPS.
In this article you will learn:
- What you need to do to activate HTTPS on your site
- How to force an HTTPS connection
- Common problems
- Frequently Asked Questions
Terms and conditions of website operation over HTTPS
In order for your web hosted site to use a secure HTTPS connection, you must first activate it in the web host's customer administration in one of the following ways:
- quick setup by following the instructions Webhosting - Quick HTTPS Setup,
- by manual settings according to the Webhosting - Manual HTTPS settings, or
- deploying your own certificate by Webhosting - Deploying your own SSL certificate.
HTTPS enforcement
Simply enabling HTTPS on a web host does not mean that the site will automatically switch to secure mode. After successfully enabling HTTPS and the certificate on the web host's side, you still need to configure the site to use the secure connection.
In your site's administration or configuration file, modify the settings to use a secure connection. Options may vary, including:
- change the site URL in the settings to start with https://
- enforcing SSL or HTTPS in the settings
- deploying a plugin to redirect to https://
It is best to consult your webmaster or editorial support for the ideal method.
If the above site settings are not available or not sufficient, add HTTPS redirection rules to the .htaccess file ( www folder). Copy and paste these rules immediately below the existing RewriteEngine On line:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]
Header set Content-Security-Policy "upgrade-insecure-requests;"
Adding this code may cause our application installer to be blocked. If you encounter a problem with the .htaccess file during installation, temporarily restore it and then re-copy it with an automatically created backup after a successful installation.
HTTPS for common content management systems
- WordPress: change both URLs in the WordPress administration, Settings menu General.
- Joomla: change the URL in the configuration.php file in the public $live_site variable. Apply the.htaccess rules above.
- Prestashop: in the site administration, navigate to Store Settings Main Enable SSL and select Enable SSL on all pages.
- Opencart: in the site administration, navigate to System Settings and select a specific store. Select the Server tab and check the Use SSL option. Apply the .htaccess rules above.
- Drupal: Apply the .htaccess rules above.
Common problems
Common problems with HTTPS settings on the web include:
- An error is displayed instead of a website
- Parts of the site are not loading
- Google Search Console has stopped working
Site error after HTTPS enforcement
Problem: After setting up HTTPS on the site, I get a 404 Not Found, Not found on Accelerator, or other message about HTTPS not being active.
Cause: HTTPS is not active on the webhost itself, or the certificate activation has not yet been completed. Rarely, it may be a certificate generation error even though the system has information that everything is fine.
Solution: Make sure that you have added the domain correctly to the certificate and that at least half an hour has passed since it was active according to the administration.
If the certificate has been active in the administration for more than half an hour and the website is still not working, try reloading it without the browser cache using the Ctrl+Shift+R keyboard shortcut. Please provide the name of the site and the full text or screenshot of the error message.
Broken web - mixed content
Problem: After setting up HTTPS on the site, CSS stopped working, images and other media are not displayed.
Cause: if the home page uses a secure HTTPS connection, the browser sees all resources loaded over HTTP as potentially dangerous and blocks them.
Solution: If you are using custom code, review it and verify that you are specifying absolute file addresses with HTTPS and not HTTP. For example, http://domena.tld/obrazek.jpg correct to https://domena.tld/obrazek.jpg.
If you use a content management system, such as WordPress, check its documentation or ask support how to fix mixed content.
Google Search Console error
Problem: After enforcing HTTPS, I observe a redirect error on GSC.
Cause: If you use the code in .htaccess RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L], the page is redirected from the insecure version to the secure version with a return code of 301 (permanently moved). Some diagnostic and analysis tools may see this as a problem.
Solution: Try eliminating the problematic code by placing the # character at the beginning of the line. Test carefully to make sure this modification does not break the correct functionality of HTTPS enforcement.
Frequently Asked Questions
How do I check that HTTPS is working properly?
Enter the address of your website with http (http://domena.tld) into your browser. If you have everything set up correctly, the address will be automatically corrected to the https version and marked with a lock icon. If this does not happen, go through the steps of the instructions again carefully, including editing the .htaccess file.