Prevent mixed content warnings by redirect ALL requests to https on apache

Question

I have wordpress site that should now be totally served over https. I get mixed content warnings on most of the pages as quite a lot of the content still have http addresses in the db, but are all available via https.

I have the following in my .htaccess file:

# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

I have limited Apache experience, so my question is why doesn't the above redirect ALL requests to https, even the embedded content?

Answer 1

why doesn't the above redirect ALL requests to https, even the embedded content?

It does, but the browser warning occurs before the request is actually made. ie. Before your server is able to redirect. This is necessary in order to prevent information leaking over HTTP and MITM attacks.

When a request is made over HTTPS then the communication between the client and server is encrypted. The URL-path is hidden and any attempt to spy on that network traffic is thwarted because it is encrypted. However, if that HTTPS page makes a request over HTTP (for any external resource, CSS, JS, image, another site, AJAX request, etc) then the URL-path is visible and you potentially send cookies, session info, etc over an unencrypted connection which can be viewed and manipulated by a third party.

You need to update the HTTP URLs in your database to HTTPS, so that you only ever reference HTTPS in your client-side HTML.

RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

This is a 302 (temporary) redirect. Once you have everything working then you should change this to 301 (permanent) by change the R flag to R=301.