# You may need to optimize the url to avoid double 301 RewriteEngine On RewriteCond %{REQUEST_METHOD} =GET RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Change the 3600 (1 hour) in 63072000 (1 year) once you have confirmed everything works Header always set Strict-Transport-Security "max-age=3600"