robinadr

Thanks to the free [Namecheap]( http://www.namecheap.com/?aff=75412)[^1] SSL certificate included with the GitHub Student Developer Pack, I’ve moved my site over to HTTPS permanently.

After dealing with infinite redirect loops for almost an hour, it turns out on NearlyFreeSpeech you need this extra block of code in your wp-config.php:

if ( $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
    $_SERVER['HTTPS'] = 'on';

Beyond that, it’s simply a matter of setting your WordPress URLs to the https version. I also have the following in my .htaccess file:

Header set Strict-Transport-Security "max-age=10886400; includeSubDomains" "expr=%{req_novary:X-Forwarded-Proto}=='https'"

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

The first line sets an HTTP Strict Transport Security header that tells the browser to always use https for the specified time (10886400 seconds is 18 weeks). The next two lines permanently redirect any insecure URL to the https version.