How to force SSL?

I want to force SSL to my webisite.
Eg: to

There is an option you can add in your config.php, that will make Kirby redirect http requests to https.

c::set('ssl', true);

You should do that in your server config file or your .htaccess


FWIW, I had to use c::set('ssl', true);, and don’t mess with the .htaccess as it didn’t work on my hosting…

I use this in .htaccess

RewriteEngine on
RewriteCond %{HTTP_HOST} !^(.*).local$
RewriteCond %{HTTPS} =off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
1 Like

I think the order should be like this depending on your hosting:

  1. DNS redirect (if possible)
  2. server config redirect (if you have your own server)
  3. .htaccess (if the hosting allows to set this setting via .htaccess)
  4. PHP based redirect (as a last resort; Kirby config setting as proposed by @bvdputte)

@texnixe What are the disadvantages of the PHP method?

The other options kick in earlier. The PHP routes are great for more complicated logic, especially when working with Kirby objects.

@neemmeek Are you on Kirby 2 or 3? This should actually work automatically.

On Kirby 2, you could also try and enforce http in your config.php:

c::set('ssl', true);

(Note that there is no such setting for Kirby 3)

What if you set the url as well:

c::set('url', 'https://yourdomain.test');

Ah, I first thought the stylesheets didn’t get loaded, but it’s an issue with your fonts. How do you load them? Could you provide a link to the site?

When looking at source, error in console:

Mixed Content: The page at ‘’ was loaded over HTTPS, but requested an insecure stylesheet ‘,latin-ext’. This request has been blocked; the content must be served over HTTPS.

How do I change the… into https? I know how to edit a “normal” html index page but how does that work with Kirby?

Open an editor and edit the template/snippet (probably /site/snippets/header.php), change http:// to https:, save, upload.

It worked. Thank you. You made my day!

P.s. Please be informed that I deleted the previous replies because as a new member I’m only allowed to add 3 replies… Thanks again for helping me out.

1 Like

Would anyone know where to place those lines in the Kirby 3 .htaccess file?

<IfModule mod_rewrite.c>
RewriteEngine on

# --- Here ?
# RewriteCond %{HTTP_HOST} !^(.*).local$
# RewriteCond %{HTTPS} =off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]

RewriteRule (^|/)\.(?!well-known\/) index.php [L]
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]
RewriteRule ^site/(.*) index.php [L]
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
RewriteRule ^kirby/(.*) index.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

Also, what does this line do:

RewriteCond %{HTTP_HOST} !^(.*).local$

Thanks for any help!


It excludes URLs that end in .local (you would have to adapt this to exclude your own local URLs if you don’t want to enforce SSL in your local dev environment.