Recently I purchased and installed an SSL/TSL certificate for this website. Besides wanting to benefit from the security aspects of the installation, I just wanted to see if I could do it. Of course, CPanel, a common control panel on shared web hosts, makes it fairly simple.
So I bought the cert, got it installed successfully, set up the 301 redirect from HTTP to HTTPS, enabled HSTS for so that all page loads are served by TLS, and even went through the tedious task of converting all image source attributes to be served securely. However, I noticed something odd. When I went to try out my redirect, I noticed that articles and second-level pages like the About the Author page would not redirect when I tried to access them from the HTTP protocol. The homepage redirected, but nothing else.
I was baffled because everything I read said it was done correctly. Then I read that HSTS doesn’t work on the initial page load unless you apply for the pre-load program offered by browsers. It takes months to get on the approved list, though, and who has that kind of time where major hacks are now a monthly event? Granted, TLS and HSTS won’t prevent the hack of an insecure piece of software, but I can at least ensure a secure connection for any visitors. In any case, it still didn’t make sense that it would be an HSTS issue, since a redirect should just forward the user to the specified URL format every time. My redirect from www to non-www worked, so why not this?
I finally figured it out tonight. The HTTP to HTTPS redirect must be above everything else in .htaccess. At the very least, it must be above anything not having to do with redirect. In my case, I’m employing a caching plugin to enable gzip and other features, which also modifies .htaccess. For whatever reason, redirect on second-level pages will not work unless the redirect directive is the first one.
I couldn’t find this solution anywhere else, so I hope it helps anyone who might be in the same boat.