This article demonstrates how to force a browser from “http” to “https” before sending credentials across the Internet.
Put the following into your “.htaccess” file. If will first force the connection to “https” and then it will prompt for the credentials. Notice the “commented out” IF statement. IF statements only work on and after Apache version 2.3. test it for yourself. Check the logs as you test it to ensure the password is sent (not necessarily asked for) over HTTPS.
# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Secure this /secured section
#<If "%{HTTPS} == 'on'">
AuthUserFile /etc/httpd/website1.password
AuthName "Secured by AGIX"
AuthType Basic
require valid-user
#</If>
See related information here “http://www.agix.com.au/secure-your-web-site-with-a-htaccess-file/”.
Reference “http://stackoverflow.com/questions/13977851/htaccess-redirect-to-https-www”.
Squirreled-away your .htaccess lines for future use. 🙂
Thanks for sharing!