Enforcing SSL for Control Panel Requests

Any time you’re managing a public website, it’s a good idea to force SSL in the areas that deal with user accounts and other sensitive information. If you’re running Craft, protecting the entire control panel with SSL is a good place to start.

To force SSL for the Craft control panel, open up the .htaccess file in your web root, and add this to it:

<IfModule mod_rewrite.c>
  RewriteEngine On
    
  # Force SSL for control panel requests
  RewriteCond %{HTTP_HOST} example\.com [NC]
  RewriteCond %{REQUEST_URI} ^/admin/ [NC]
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
</IfModule>

If you have an index.php redirect in there already (for the 'omitScriptNameInUrls' setting) this code should go before that.

Let’s take this line-by-line so it’s clear what’s going on.

RewriteCond %{HTTP_HOST} example\.com$ [NC]

This prevents the redirect from affecting your local site. Set example\.com to your actual public domain name.

RewriteCond %{REQUEST_URI} ^/admin/ [NC]

This limits the SSL enforcement to URLs that begin with “/admin/”. If you have a custom cpTrigger config setting set, use that instead.

RewriteCond %{HTTPS} !=on

This prevents unnecessary redirects in the event that you’re already accessing the control panel over SSL. Leaving this out would actually create an infinite redirect loop.

Note that the %{HTTPS} variable might not be an accurate measure for whether the request is over SSL for some web hosts. EngineHosting, for example, requires that you set the following two lines instead:

RewriteCond %{ENV:SECURE_REDIRECT} !=on
RewriteCond %{SERVER_PORT} !^443$

If you’re having issues with this, ask your web host for more info.

RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

If the incoming request has passed all of our RewriteCond checks, this line will handle the actual redirect.