How do you when it is finally time to make the change in something on your website and you can no more postpone it? Well, when Google starts penalising. I kept on postponing setting up https for my website But since Google started and Google chrome started showing the not safe icon for all the https sites I thought finally setting up SSL certificate for my website. https://www.bitfolio.org/ penalising sites without https Chrome says Not Secure was a saviour both in terms of cost and ease of setup. The only downside is that it needs to be renewed every three months. Once you are done with the set up you can check to make sure that it is implemented correctly. Lets Encrypt https://www.ssllabs.com/ssltest/analyze.html?d=bitfolio.org&latest Once this was done I thought it should be a easy go. But I was surprised that even after having worked for couple of years in Drupal I was not completely aware of the full set up. I always off loaded this section to my Sys Admin. It took me some time to figure it out and the blogs I found were not really helpful. So I thought of putting it together here. Assuming that I have a domain example.com I would like to redirect all the variations of this domain to the https version. There can be six variations , , , , , . example.com [www.example.com](http://www.example.com`) [http://example.com](http://example.com`) [http://www.example.com](http://www.example.com`) [https://example.com](https://example.com`) [https://www.example.com](https://www.example.com`) I want to make sure that all these variations redirect to . [https://www.example.com](https://www.example.com`) is the naked version of your domain . Goto your domain provider and add A name pointing to IP of your server. example.com [www.example.com](http://www.example.com`) Add A name Add a C Name to point www version also to the same IP. Add a C Name Assuming you are running Apache(There will be similar settings in all servers) goto your virtual host and make sure add both Servername and ServerAlias <VirtualHost *:80>ServerName example.comServerAlias www.example.com This will make sure that your server listens both the naked domain and normal domains and points them to you code folder for execution. Now go to your file .htaccess Make sure that you have following code. RewriteEngine on Set “protossl” to “s” if we were accessed via . This is used later https:// if you enable “www.” stripping or enforcement, in order to ensure that you don’t bounce between http and https. RewriteRule ^ — [E=protossl]RewriteCond %{HTTPS} onRewriteRule ^ — [E=protossl:s] This code just sets a flag called to if you have visited using https. This will ensure that you don’t go into infinite redirections between http and https as mentioned in the comments. protossl Comment out all other settings related to http and https redirection. Then add the following Rewrite http(s)://example.com to https://www.example.com RewriteCond “%{HTTP_HOST}” “!^www\.” [NC]RewriteCond “%{HTTP_HOST}” “!^$”RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Rewrite to http://www.example.com https://www.example.com RewriteCond %{HTTPS} offRewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] This code was provided by on Check out his comments on why you need two different rules. https://www.drupal.org/u/mdrescher https://www.drupal.org/forum/support/post-installation/2018-04-15/forcing-to-https#comment-12723535 These changes will make sure that all six variations , , , , , are redirecting to example.com [www.example.com](http://www.example.com`) [http://example.com](http://example.com`) [http://www.example.com](http://www.example.com`) [https://example.com](https://example.com`) [https://www.example.com](https://www.example.com`) [https://www.example.com](https://www.example.com`) Hope it will save time for somebody who is moving to . is good for overall internet. Do take out sometime this weekend to move your sites to . https https https This section was added based on a comment by Ilias. suggested about HSLD and I spent some time looking into it. 302 redirects manually redirect http requests to https. But it also has a window for the hackers to eavesdrop. HSTS preloads make sure that browsers are aware that the website uses https through the header sent to the browsers. Ilias el Matani “This sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any script’s call to load any resource in that domain over HTTP.” You can read more about it on https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/ To enable HSTS run and make sure header module is enabled. If not use to enable headers. apachectl -M sudo a2enmod headers Add the following in your .htaccess file. Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” Once you are done with the changes visit to check the status of your domain. If everything is fine then you can submit the form to include your domain in the preload list. https://hstspreload.org/?domain=bitfolio.org To make it compatible with the suggestions provided I had to comment the first part in the htaccess code. Rewrite http(s)://example.com to https://www.example.com #RewriteCond “%{HTTP_HOST}” “!^www\.” [NC]#RewriteCond “%{HTTP_HOST}” “!^$”#RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Rewrite to http://www.example.com https://www.example.com RewriteCond %{HTTPS} offRewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] While this makes sure that you are always redirected to https version and HSTS is enabled, it considered www and naked versions as different. I am still checking if there is a way around this. If you have figured this out please comment.