367 8
9.5k times

Firefox won't redirect URL's automatically to https. Chrome, Chromium-based, and Edge will. Has anyone else experienced this?

The site is and I've got virtual hosts set up for port 80 and I used Let's Encrypt for SSL.

I looked through everything and I cannot see anything obvious.

  • 0
    In Firefox you can also enable HTTPS-Only Mode to redirect to HTTP. In the menu bar at the top of the screen, click and select Settings, Select Privacy & Security from the left menu. Scroll down towards the bottom where it says HTTPS-Only Mode. Use the radio button to select whether to enable or disable HTTPS-Only Mode, or select to only enable it for private windows. — Lehigh HVAC
add a comment

2 Answers

  • Votes
  • Oldest
  • Latest

There are numerous ways these days you can solve this. The first one I would recommend is making sure that you have set Strict-Transport-Security, you can do this in your .htaccess file like this:

Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS

You can also set your Content-Security-Policy, one of the values is for making sure http requests get upgraded to https. There is much more you can do with content security policies, I would recommend reading up on that, but at the very minimum and to help solve your problem you would want to set something like this in your .htaccess file.

Header always set Content-Security-Policy "upgrade-insecure-requests"

For these headers you could also set these in PHP directly (instead of htaccess):

header('Strict-Transport-Security: max-age=31536000');
header('Content-Security-Policy: upgrade-insecure-requests');

Finally another way is to create a RewriteRule in your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]

You can use one or more of these methods simultaneously. I usually keep the RewriteRule in case older browsers or bots don't understand or support the other directives.

  • 0
    I tried all of the above and still no dice. It's only happening in Firefox. I'm gonna give up for a day or so and try again with a fresh brain later. — natas
  • 0
    I went to your website and it redirected to https for me. Your CSP header is being sent twice for some reason, so I would fix that, but for me it loads https after going to the http version now in Firefox. — Brian Wozeniak
  • 0
    What the fudge? It's not working for me. I've cleared cached, cookies, etc. Still no dice. GAHHHHH!!!! — natas
  • 0
    What version of Firefox are you using? Even if the first ones failed, the rewrite rule should do the work regardless of your browser, you sure you added that one in? You need to make sure to enable mod_rewrite as well. — Brian Wozeniak
  • 0
    I'm using Firefox 93 on MX Linux — natas
  • 1
    So this morning, everything works as expected. I didn't change anything overnight. This is weird, but I'm not complaining. Thanks for the help Biggie Wozz — natas
add a comment

Enable HTTPS-Only Mode in Firefox. This is a security enhancement that forces all connections to websites to use HTTPs while browsing websites with Firefox.

To enable HTTPS-Only mode, in Firefox:

  1. Click the menu button and select settings
  2. Select Privacy and Security on the left side
  3. Scroll down to the very bottom where it says HTTPS-Only Mode
  4. Use the radio button to enable or disable HTTPS-Only Mode, or you can set it to only be enabled for private windows.

You can also set exceptions for websites that should not utilize HTTPs-Only mode if you choose to have it enabled.

Here is a screenshot of what the area looks like:

Firefox HTTPs Only Mode

add a comment