Enforcing SSL for CP Requests

Any time you are managing a public website, it’s a good idea to force SSL in the areas that deal with user accounts or other sensitive information. If you’re running Craft, protecting the entire control panel with SSL is a good place to start.

To force SSL for the Craft CP, open up the .htaccess file in your web root, and add this to it:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Force SSL for CP requests
    RewriteCond %{HTTP_HOST} example\.com [NC]
    RewriteCond %{REQUEST_URI} ^/admin/ [NC]
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

If you have an index.php redirect in there already, this code should go before that.

Let’s take this line-by-line so it’s clear what’s going on.

RewriteCond %{HTTP_HOST} example\.com$ [NC]

This prevents the redirect from affecting your local site. Set example\.com to your actual public domain name.

RewriteCond %{REQUEST_URI} ^/admin/ [NC]

This limits the SSL enforcement to URLs that begin with “/admin/”. If you have a custom cpTrigger config setting set, use that instead.

RewriteCond %{HTTPS} !=on

This prevents unnecessary redirects in the event that you’re already accessing the CP over SSL. Leaving this out would actually create an infinite redirect loop.

Note that the %{HTTPS} variable might not be an accurate measure for whether the request is over SSL for some web hosts. EngineHosting, for example, requires that you set the following two lines instead:

RewriteCond %{ENV:SECURE_REDIRECT} !=on
RewriteCond %{SERVER_PORT} !^443$

If you’re having issues with this, ask your web host for more info.

RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

If the incoming request has passed all of our RewriteCond checks, this line will handle the actual redirect.