Enforcing SSL for Control Panel Requests
Any time you’re managing a public website, it’s a good idea to force SSL in the areas that deal with user accounts and other sensitive information. If you’re running Craft, protecting the entire control panel with SSL is a good place to start.
To force SSL for the Craft control panel, open up the .htaccess
file in your web root, and add this to it:
<IfModule mod_rewrite.c>
RewriteEngine On
# Force SSL for control panel requests
RewriteCond %{HTTP_HOST} example\.com [NC]
RewriteCond %{REQUEST_URI} ^/admin/ [NC]
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
</IfModule>
If you have an index.php
redirect in there already (for the 'omitScriptNameInUrls' setting) this code should go before that.
Let’s take this line-by-line so it’s clear what’s going on.
RewriteCond %{HTTP_HOST} example\.com$ [NC]
This prevents the redirect from affecting your local site. Set example\.com
to your actual public domain name.
RewriteCond %{REQUEST_URI} ^/admin/ [NC]
This limits the SSL enforcement to URLs that begin with “/admin/”. If you have a custom cpTrigger config setting set, use that instead.
RewriteCond %{HTTPS} !=on
This prevents unnecessary redirects in the event that you’re already accessing the control panel over SSL. Leaving this out would actually create an infinite redirect loop.
Note that the %{HTTPS}
variable might not be an accurate measure for whether the request is over SSL for some web hosts. EngineHosting, for example, requires that you set the following two lines instead:
RewriteCond %{ENV:SECURE_REDIRECT} !=on
RewriteCond %{SERVER_PORT} !^443$
If you’re having issues with this, ask your web host for more info.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
If the incoming request has passed all of our RewriteCond
checks, this line will handle the actual redirect.