For reasons much too long and complex to get into (it involves several layers of corporate red tape resulting in someone else not purchasing a wildcard SSL certificate I requested), IF you have to set up a domain to redirect all requests to – secure protocol with the www subdomain. So:,, and should ALL redirect to
use the following code in htaccess file :-In the .htaccess If I enable:

  • The forcing of https
  • redirection for www. prefixed urls to urls without the prefix

The visitor is not redirected from to, as I would have expected. Instead, the user is redirected to (so the prefix isn’t removed).

I am not an expert in htaccess url rewriting, but it seems like the subdomain is only removed for http connections and it redirects to the unprefixed, but unsecured version of the url (so it doesn’t do anything for https connections). Wouldn’t it be better to rewrite secure connections as well? Just wondering if this is an oversight or by design.

# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]