Force SSL on a Drupal 7 Site

Posted on August 24, 2017 in Drupal, Security

Addressing the elephant in the room: yes, I know this is a WordPress site now. I still have a lot of client sites on Drupal, so there just are going to be Drupal posts.

What Needs to Change

The two files that will need to change are the .htaccess and the settings.php files. The .htaccess will serve to force any page visited to an HTTPS connection (front end and back end). The settings.php file needs a line to force HTTPS on all your css/js files, avoiding the dreaded “mixed content” error message and not loading those styles/scripts.

The Settings.php Change

We’ll start here, because it’s the easiest. In the settings.php file, find the line that sets the $base_url (it should be commented out – somewhere around line 301). Uncomment the line by removing the # sign and fill in your domain – making sure to add the HTTPS at the beginning.

Were this site a Drupal site, the line would look a little something like this:

$base_url = 'https://mburnette.com'; // NO trailing slash!

This will tell your css/js files that they need to conform to this new pattern. Next up, forcing the redirect….

The .htaccess Changes

The .htaccess file has a couple of changes that need to be made, but nothing too crazy. Open up the file and find the section that talks about “proto-ssl” stuff – it should be somewhere around line 64. You’ll see a description of what these lines do and then 3 uncomments lines below.


# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]

The three lines that are uncommented need to become commented like this:


# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
# RewriteRule ^ - [E=protossl]
# RewriteCond %{HTTPS} on
# RewriteRule ^ - [E=protossl:s]

Then, add the following code right below those three lines:


RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will force any non-https addresses to https.

And that’s all there is to it! Go ahead and give it a shot and leave me a comment below if it works (or doesn’t)!

Leave a comment

Your email address will not be published. Required fields are marked *