If most of your visitors come from Google (οργανικά) ή από Social Networks, they probably visit the HTTPS version directly.
But what if there are visitors who visit your site directly?
In my case, I usually type "igu", my browser suggests "iguru.gr" and I press enter.
By default, the browser sends the request to "https://iguru.gr" and later redirects it to "https://iguru.gr".
Why is redirection from HTTP to HTTPS slow?
If you have https set in its settings WordPress, then WP will take care of the redirect. This will be done by PHP. But depending on your hosting provider and server speed, PHP redirection can be slow. So it is better to disconnect it from PHP.
Let's see what we can do.
Set up Web Server to redirect to HTTPS
Setting up a Web Server like Nginx / Apache / LiteSpeed for redirect will always do it faster than PHP.
Apache / LiteSpeed
If you have Apache or LiteSpeed Web Server, add the following source code to the .htaccess file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Nginx
In Nginx, add the following setting:
server {listen 443 ssl; add_header Strict-Transport-Security "max-age = 31536000; includeSubDomains" always; }
If you use Cloudflare, things are very easy. From the SSL / TLS - Edge Certificates settings, enable the "Always Use HTTPS" option.
Optionally, select the "Automatic HTTPS Rewrites" option.
Or you can also add a meta tag to tell the browser to use HTTPS for all requests within a page.
Enable HSTS
HSTS or HTTP Strict Transport Security is a response header.
Simply put, it tells the browser "this site will have HTTPS for so many days, so use HTTPS by default".
So the next time someone enters "iguru.gr" or "https://iguru.gr", the browser will open directly "https://iguru.gr".
Apache / LiteSpeed
Add the following code to the .htaccess file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Nginx
In Nginx, add the following setting:
server {listen 443 ssl; add_header Strict-Transport-Security "max-age = 31536000; includeSubDomains" always; }
Cloudflare
From the SSL / TLS - Edge Certificates settings enable HTTP Strict Transport Security (HSTS)
Enter the following settings:
Verify HSTS
You can check if it works or not by checking the response header:
You can also visit the page https://hstspreload.org/ to check the same.
Submit to the Chrome HSTS list
Even if you have HSTS enabled, the user visiting your site for the first time will have a redirect from HTTP to HTTPS.
However, Chrome maintains a list of HSTS hardcoded sites in the browser (and other browsers use the same list). Therefore, if your site is added to this list, you no longer need to be redirected!
From address https://hstspreload.org/ submit your domain.
and
Then click Submit and wait for it to be added to the Chrome hardcoded list.
Are you ready!