Installing an SSL certificate on your SakuraHost account is just the first step. By default, your website may still be accessible over both HTTP and HTTPS, meaning visitors who type your domain without the "https://" prefix or follow old bookmarks will land on the insecure version. To fully secure your site, you need to force all traffic to use HTTPS. The most common and reliable way to do this on Apache-based hosting (which SakuraHost uses) is through the .htaccess file.

Why Force HTTPS?

  • Complete Encryption: Without forcing HTTPS, visitors accessing your site via HTTP have an unencrypted connection, exposing their data to potential interception.
  • SEO Benefits: Having both HTTP and HTTPS versions creates duplicate content. Forcing HTTPS with a proper 301 redirect consolidates your SEO authority on the secure URL. Google's crawlers will index only the HTTPS version.
  • Browser Warnings: Visitors on the HTTP version will see "Not Secure" warnings in modern browsers, which can damage your credibility and increase bounce rates.
  • HSTS Compatibility: HTTP Strict Transport Security (HSTS) requires HTTPS to be enforced before it can be activated, providing even stronger security guarantees.
Prerequisite: You must have a valid SSL certificate installed before forcing HTTPS. All SakuraHost accounts include free AutoSSL. Verify your certificate is active by visiting https://yourdomain.co.tz in your browser. If you see certificate errors, resolve those first.

Method 1: Standard .htaccess HTTPS Redirect

This is the most widely used method and works on all Apache-based hosting including SakuraHost.

Accessing Your .htaccess File

Step 1: Log in to cPanel from your SakuraHost client area.
Step 2: Open File Manager from the Files section.
Step 3: Navigate to your website's document root (usually public_html for your main domain, or public_html/yourdomain for addon domains).
Step 4: If you do not see the .htaccess file, click Settings in the top-right corner of File Manager and check "Show Hidden Files (dotfiles)".
Step 5: Right-click on .htaccess and select Edit. If the file does not exist, create a new file named .htaccess (including the leading dot).

Adding the HTTPS Redirect Rule

Add the following code at the very top of your .htaccess file, before any existing rules:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rule works as follows:

  • RewriteEngine On — Enables the Apache rewrite module.
  • RewriteCond %{HTTPS} off — Checks if the current request is NOT using HTTPS.
  • RewriteRule ^(.*)$ — Matches any URL path.
  • https://%{HTTP_HOST}%{REQUEST_URI} — Redirects to the same URL but with HTTPS.
  • [L,R=301] — Issues a permanent (301) redirect and stops processing further rules.

Method 2: Redirect with WWW Normalization

If you also want to standardize your URL to either include or exclude "www", you can combine both redirects. Here is an example that forces HTTPS and redirects to the non-www version:

RewriteEngine On # Redirect www to non-www RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC] RewriteRule ^(.*)$ https://%1/$1 [L,R=301] # Redirect HTTP to HTTPS RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

And here is the version that forces HTTPS with www:

RewriteEngine On # Redirect non-www to www RewriteCond %{HTTP_HOST} !^www. [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [L,R=301] # Redirect HTTP to HTTPS RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Method 3: Behind a Load Balancer or Proxy

If your website sits behind Cloudflare or another proxy/load balancer, the standard %{HTTPS} variable may not work correctly because the connection between the proxy and your server might be HTTP even though the visitor's connection to the proxy is HTTPS. In this case, use the X-Forwarded-Proto header:

RewriteEngine On RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Method 4: WordPress-Specific HTTPS Configuration

For WordPress sites, in addition to the .htaccess redirect, add these constants to your wp-config.php file:

define('FORCE_SSL_ADMIN', true); // If behind a reverse proxy or load balancer: if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { $_SERVER['HTTPS'] = 'on'; }

Adding HSTS for Maximum Security

HTTP Strict Transport Security (HSTS) tells browsers to always connect to your site over HTTPS, even if the user types http://. After confirming HTTPS works correctly, add this to your .htaccess:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Caution with HSTS: Once HSTS is active, browsers will refuse to connect to your site over HTTP for the duration specified in max-age (31536000 seconds = 1 year). Make sure your SSL is properly configured and will remain active before enabling HSTS. Start with a shorter max-age (e.g., 300 seconds) for testing.

Testing Your Configuration

After adding the redirect rules:

  1. Clear Browser Cache: Old 301 redirects may be cached. Use an incognito/private window for testing.
  2. Test HTTP URL: Visit http://yourdomain.co.tz and verify it redirects to https://yourdomain.co.tz.
  3. Test Subpages: Visit http://yourdomain.co.tz/contact and confirm the full path is preserved in the redirect.
  4. Check Redirect Chain: Use a redirect checker tool to ensure there is only one redirect hop, not a chain of multiple redirects which would slow page loading.
  5. Run SSL Labs Test: Visit SSL Labs to verify your overall SSL/TLS configuration grade.

Troubleshooting

Redirect Loop (ERR_TOO_MANY_REDIRECTS)

This typically happens when something else is also redirecting, creating an infinite loop. Common causes include a CMS setting that also forces HTTPS, a Cloudflare "Flexible SSL" setting (switch to "Full" or "Full Strict"), or conflicting rules in .htaccess. Check each layer for duplicate redirect rules.

500 Internal Server Error

If your site shows a 500 error after editing .htaccess, the mod_rewrite module may not be enabled (it is enabled on SakuraHost), or there is a syntax error in your rules. Revert your changes via File Manager and try again carefully. Ensure there is only one RewriteEngine On directive in the file.

Need Help? If you encounter issues forcing HTTPS on your SakuraHost account, our support team is available 24/7 at billing.sakurahost.co.tz to assist with your SSL configuration.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Understanding SSL Certificates: Types, Benefits, and How They Work

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Install a Free SSL Certificate on SakuraHost (AutoSSL)

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
Fixing Mixed Content Errors After Installing SSL

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
Understanding and Preventing DDoS Attacks on Your Website

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Scan and Remove Malware from Your Hosting Account

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...