.htaccesshttp-redirecthttpscanonicalization

.htaccess code questions about SSL and canonicalization


In short, my website has a single payments page. SSL certificate is installed but is not required apart for that one payments page.

With regards to my .htaccess file - I currently separate my payments page with the following code. I also block visitors from semalt.com. Can't remember exactly why, but I think I was receiving unwanted attention (spam) from them at the time.

What I would like to know is:

  1. is this code still valid 5 years on?
  2. do I need to address canonicalization by directing to either a www or non-www version of mywebsite (importantly without affecting that one important https payments page); is it necessary?
 1. Options +FollowSymlinks
 2. RewriteEngine On
 3. RewriteBase /
 4. # RewriteCond %{HTTP_HOST} !^example\.com$ [NC]
 5. # RewriteRule .* http://example.com%{REQUEST_URI} [L,R=301]
 6. 
 7. RewriteCond %{HTTPS} off
 8. RewriteRule ^payment\.html$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 9. 
 10. # block visitors referred from semalt.com
 11. RewriteEngine on
 12. RewriteCond %{HTTP_REFERER} semalt\.com [NC]
 13. RewriteRule .* – [F]
 14. # End semalt block
 15. # block referer spam buttons for website
 16. RewriteEngine On
 17. RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com
 18. RewriteRule ^.* - [F,L]
 19. # End buttons for website block
 20. 
 21. ErrorDocument 404 /404.html

Solution

  • The main thing I would address is that you are only redirecting to HTTPS for your payments page. You should be forcing HTTPS for your entire site - everywhere. These days browsers alert users to the fact that they are browsing an insecure connection if on HTTP (Google Chrome states "Not Secure" next to the URL), which doesn't do anything for user trust. This is the main thing that would have changed in the last 5 years - HTTPS is mandatory everywhere.

    There is no good reason not to use HTTPS everywhere these days.

    Assuming the rest of your site is already HTTPS "ready" (I assume it must be and you aren't sending users back to HTTP from your payment page?!) then change the HTTP to HTTPS redirect to include your entire site:

    # HTTP to HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

    2) do I need to address canonicalization by directing to either a www or non-www version of mywebsite (importantly without affecting that one important https payments page); is it necessary?

    Yes, you should. You already have the directives at the top of your .htaccess file - but they are commented out? You may have already set the rel="canonical" element in the head of your pages, but otherwise, if www and non-www are both available then this is potentially duplicate content (same content available from 2 or more different URLs). You need to decide which: www or non-www? Which do you currently favour? Which (predominantly) is already indexed? Which does your payments page use? (Hopefully, the answer is the same to all the above.)

    Also redirect directly to HTTPS as part of this redirect. And this should go before the current HTTP to HTTPS redirect (the same order as currently in your .htaccess file):

    # Redirect to non-www
    RewriteCond %{HTTP_HOST} !=example.com
    RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
    

    Note that the above www to non-www redirect assumes you are not using any other subdomains. To redirect to www.example.com, just change both instances of example.com.

    RewriteCond %{HTTP_REFERER} semalt\.com [NC]
    RewriteRule .* – [F]
    

    Ok, if it helps - check your server logs if this is doing anything for you. But change the .* regex to ^ (marginally more efficient). And any blocking directives should be at the very top of the file (you don't want to bother canonicalising these requests).

    RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com
    RewriteRule ^.* - [F,L]
    

    Again - OK, it helps (does it?!). Optimise the regex as above. No need to backslash escape literal hyphens in the CondPattern (unless they appear in the middle of a character class). The L flag is not required when used with F.

    Other notes:

    Summary

    Bringing the above points together we have:

    Options +FollowSymlinks
    
    ErrorDocument 404 /404.html
    
    RewriteEngine On
    
    # block visitors referred from semalt.com
    RewriteCond %{HTTP_REFERER} semalt\.com [NC]
    RewriteRule ^ – [F]
    
    # block referer spam buttons for website
    RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC]
    RewriteRule ^ - [F]
    
    # Redirect to non-www
    RewriteCond %{HTTP_HOST} !=example.com
    RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
    
    # HTTP to HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]