[SOLVED] Pythonanywhere HTTP works but HTTPS doesnt

Pythonanywhere HTTP works but HTTPS doesnt

So I am using Namecheap and PythonAnywhere to host my website; however one big issue about URL redirection is present. I have forced HTTPS in my PythonAnywhere account and so my website works when a user inputs:

https://www.website.com (Loads super quickly)
http://www.website.com (takes 5-6 seconds)
http://website.com (takes 5-6 seconds)

But it never works when inputting https://website.com

What should I do? I have URL redirects present in NameCheap but I think I have to somehow force HTTPS on my web app of website.com as well as force HTTPS on www.website.com on pythonanywhere. How do I do that?

Solution

In order to get a redirect for an https link, you'll need a redirection service that supports HTTPS. Unfortunately, from your description, it sounds like Namecheap don't do that. Of other registrars, I know that Gandi do support them, and I believe that GoDaddy do not.

Obviously, changing your registrar would be a pretty heavyweight process. So the options available that I know of if you stay with Namecheap are NakedSSL and the new "SSL for the cloud" option at Wwwizer. I've heard good things about the former, but haven't heard anything (positive or negative) about the latter. Both of these are paid services, though.

One question to ask, though, is whether you really need the HTTPS redirect for the naked domain. There are two ways that people will be using your URL:

They'll be clicking on links that go to your site. Those are likely to go to https://www.website.com/, so (as you say) they'll work fine and be snappy
They'll be typing URLs into their address bar. If they type website.com, then Chrome will automatically send them to http://website.com (these days it will check to see if https://website.com works first, but then it will switch to HTTP). And that already works. The only way for them to go to https://website.com would be if they typed exactly that into the browser's location bar, and in my experience no-one ever does that unless they're testing their own site :-)

So perhaps you don't need the HTTPS redirect for the "naked domain" at all.

One exception to that is if your domain is on the HSTS preload list. This is a list of domains that always use HTTPS -- the browser will redirect any attempts to use HTTP to the HTTPS equivalent even if you explicitly type in http:// at the start of the URL. If your domain is a .com one, then you'll be fine; but if that was an example and you're actually using a .app, .dev, or similar domain, then you will need the HTTPS naked domain redirect.