I am trying to finalize HSTS compliance and am a Web guy but this is over my head.
My current .htaccess is:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
</IfModule>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
I am using: https://hstspreload.org/ to check compliance and when I run this tool for my domain it returns:
http://example.com (HTTP) should immediately redirect to https://example.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.example.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
How do I force https first?
Multiple redirects is ok, but I want to make sure https is first.
You can have your redirects like this:
RewriteEngine On
RewriteBase /
# http -> https keeping same domain
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,NE,L]
# then add www while keeping it https
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,NE,L]