Access Keys:
Skip to content (Access Key - 0)

Q: How do I automatically redirect to HTTPS URLs?


One of the potential downsides to certificate-protecting pages on is that visitors to the protected portion of your site must use URLs beginning with https://. Anyone who tries to access the protected portion of your site via http:// URLs will receive a "Forbidden" error message.

The simplest way to avoid this is to make the front page of your site a public page, with links to certificate-protected content denoted as such. However, if that is not possible, there is a way to automatically redirect users to the certificate-protected URLs.

Advanced Users
Before following these instructions, you or your webmaster should have an understanding of Server-Side Includes, typical Apache Server variables accessible via SSI, and the concept of relative versus absolute links.

The following example assumes that your website is active at and you want to certificate-protect

The first step is to create a sample 403 error page. Create a directory in your locker called "errors" (the name is not important, but the directory should be separate from the rest of your site). That directory must be readable by system:anyuser. A basic 403 error page might look like this:

<title>Certificates Required</title>
You must access this document via HTTPS.  
If you have MIT Certificates, click 
<a href="https://<!--#echo var="HTTP_HOST"--><!--#echo var="REQUEST_URI"-->">here</a> to continue to your document.

You can save that document in a file called "certificates.shtml" in the "errors" directory.

The next step is to tell the server to use this document. At the lowest level of your website, create (or edit, if you already have one) a file. Add the following line to your file:

ErrorDocument 403 /joeuser/errors/certificates.shtml

Now, if you attempt to access without certificates, you should see your new page.

Denied Users Will Also See This Page
Remember, the "Forbidden" page will be displayed under two circumstances: a) if they are not using certificates; b) if they are using certificates, but do not have permission to access the document. Your Forbidden page should say something to that effect.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

October 01, 2013

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
jdreed-draft jdreed-draft Delete
htaccess htaccess Delete
certificates certificates Delete
c-web-publishing c-web-publishing Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki