Using HTTPS with fortrabbit

Problem: The interwebs is full of criminals trying to read your communication. Solution: Serve requests over HTTPS not just HTTP.


HTTPS is Hyper Text Transfer Protocol over Transport Layer Security. It is used to secure the data transport between a client (browser) and a server. HTTPS is based on TLS (Transport Layer Security), which is the successor to the still better known SSL (Secure Sockets Layer). Current browsers show a green lock in the address bar if the connection is over HTTPS, the certificate could be verified and if the certificate is still valid.

HTTPS options on fortrabbit

As part of security efforts our aim is to give you secure, easy-to-use and affordable options:

Piggyback HTTPS

PSSST. This is a bit of a hidden feature: You can already access your App URL using HTTPS. For example: https://{{app-name}} Use this URL for testing or if a custom domain is not important to you.

Automatic HTTPS

Let's encrypt is a free certificate authority and can be used to generate free certificates for custom domains. This option does not work for wildcard domains. Automatic TLS is included for all Professional Apps and some Universal Apps.

Custom HTTPS

Bring your own certificate: There are various use-cases to mandate a custom certificate, for example if you plan on using wildcard domains or need a "green browser bar". Whichever reason it may be: we support installation of custom certificates for many App plans in the Dashboard > {{app-name}} > TLS certificate.


Which of the options can be used depends on the App stack and the specific plans which are booked for the App:

HTTPS/TLS Option Professional App Universal App
Piggyback HTTPS Yes Yes
Automatic HTTPS Yes Yes
Custom HTTPS Yes, as extra Component, see specs Depends on plan


The following applies to all three TLS options on fortrabbit:

Redirect all requests to HTTPS

Create or modify an .htaccess file in your root path folder like so:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Port} !=443
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

The reverse (redirect all traffic to HTTP) would be:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Port} !=80
RewriteRule (.*) http://%{HTTP_HOST}/$1 [R=301,L]

Force HTTPS for future visits with HSTS

In your .htaccess file you can add this line (in addition to the rewrite rule above):

Header always set Strict-Transport-Security "max-age=31536000"

This will make your browser remember to always use the secured version of your App. It makes use of the "HTTP Strict Transport Security" policy and improves security by eliminating the risks of man-in-the-middle TLS-protocol-downgrade attacks. Be careful: setting this header will tell the browser never (or that is: until max-age) to use http:// again. So if you later on decide to serve (parts of) your site using no encryption, all those clients (browsers) which saw the header will not comply and keep using https://.

It's not working with Internet Explorer 8 or older

Sorry, IE8 is not supported any more. All our TLS implementations are based on SNI.

Further readings

Search help pages

Need individual help?

Get support › Learn about Company plans ›

Looking for an old article?

See the full list of articles ›

Found an error?

Contribute on GitHub ›