All Linux HowTo's Security HowTo's

Force to HTTPS for Basic Authentication | Apache & .htaccess

This article demonstrates how to force a browser from “http” to “https” before sending credentials across the Internet.

Put the following into your “.htaccess” file. If will first force the connection to “https” and then it will prompt for the credentials. Notice the “commented out” IF statement. IF statements only work on and after Apache version 2.3. test it for yourself. Check the logs as you test it to ensure the password is sent (not necessarily asked for) over HTTPS.

# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Secure this /secured section
#<If "%{HTTPS} == 'on'">
 AuthUserFile /etc/httpd/website1.password
 AuthName "Secured by AGIX"
 AuthType Basic
 require valid-user

See related information here “”.

Reference “”.

Similar Posts:


  1. I would love to try this, on a shared hosting DreamHost server but it’s still running 2.2.31. Apparently in the “near future”, DreamHost will upgrade to 2.4 ( I’ve used the method:

    SSLOptions +StrictRequire
    SSLRequire %{HTTP_HOST} eq …
    ErrorDocument 403 https://

    paired with basic auth, but it’s never worked as clean as preferred. Yes, it ensures credentials aren’t sent in the clear, but if I had attempted to access a valid URI/URL like or, after authenticating, I end up at the ErrorDocument destination. After authenticating, I can navigate to the original destination. Seems to be a limitation of the SSLOptions +StrictRequire method of forcing SSL, and if I understand correctly, the method you describe overcomes this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.