One of the most significant omissions noticed in the posts on redirecting traffic from HTTP to HTTPS is the exclusion of logs within the Apache web server configuration.

Why is this important? When you log the redirects at the source, you will notice that your SSL access logs were not capturing the traffic. This is a great way to catch bots and hackers probing your website.

As of today, July 19, 2022, every mention of HTTP to HTTPS uses the following syntax in the HTTP host:

What you will see are a lot of 301 and 302 httpd status codes. Why is this important? If you look closer, you will see bot names, HTTP request methods (HEAD, PUT, CONNECT, OPTIONS, etc.) that hackers use to find vulnerabilities, requests for known file vulnerabilities, etc. The official Apache documentation suggests using redirect directive instead of a RewriteRule (https://httpd.apache.org/docs/trunk/rewrite/avoid.html).

In addition, from testing and various forums:

• Redirect returned a lot of 302 moved temporarily status codes
• Redirect Permanent returns a 301 moved permanently status code
• RedirectPermanent returns a 301 moved permanently status code

It would seem that the RedirectPermanent is a more desired option for HTTP to HTTPS redirects. Well, that is if you are not using a RewriteRule.