While modern web browsers and servers are flexible with domain formats and protocols, using the www subdomain and enforcing SSL (HTTPS) remain best practices for performance, scalability, and security.
Why “www” Was Originally Used
The www prefix stands for “World Wide Web” and was introduced in the early days of the internet to distinguish web services from other services like FTP or mail on the same domain.
- Separation of services: Allowed different subdomains for different protocols.
- DNS flexibility: Easier to manage and scale web traffic separately.
- Convention: Became a widely adopted standard for web addresses.
Why Use “www” Today
Although technically optional, using www still offers several advantages:
- Cookie scope control: Cookies set on
www.example.comdo not affectexample.comor other subdomains. - DNS and CDN flexibility: Easier to delegate
wwwto a content delivery network or separate DNS provider. - Scalability: Better suited for large-scale websites with complex infrastructure.
- Redirect consistency: Helps avoid duplicate content issues by standardizing URLs.
Why Enforce SSL Across the Site
SSL (Secure Sockets Layer), now more accurately referred to as TLS (Transport Layer Security), encrypts the communication between a user’s browser and the web server. While it may seem sufficient to apply SSL only to pages that handle sensitive data (like login or payment pages), enforcing SSL site-wide is now considered a best practice.
Key Benefits:
- Data protection: Encrypts all data in transit, preventing interception or tampering.
- Authentication: Confirms the identity of the website to users.
- SEO boost: Google gives ranking preference to HTTPS-enabled sites.
- Browser trust: Modern browsers display warnings for non-HTTPS pages, which can deter users.
Why SSL Should Be Used on All Pages
- Prevent session hijacking: If only some pages are encrypted, attackers can intercept session cookies on unencrypted pages and gain unauthorized access.
- Avoid mixed content issues: Loading secure and insecure resources together can break functionality or trigger browser warnings.
- Ensure consistent user experience: Redirecting between HTTP and HTTPS can cause delays, errors, or confusion.
- Protect all user interactions: Even seemingly non-sensitive pages may include search queries, preferences, or behavioural data that should be kept private.
- Enable HTTP/2: Most browsers only support HTTP/2 over HTTPS, which improves performance through multiplexing and header compression.
Enforcing SSL across the entire site ensures that every interaction is secure, consistent, and trusted by both users and search engines.
How to Implement WWW and Enforce SSL
On IIS (Internet Information Services)
-
Redirect to
wwwand HTTPS:- Open IIS Manager.
- Select the site and click on HTTP Redirect.
- Enable Only redirect requests to content in this directory.
- Set the destination to
https://www.example.com. - Check Only respond to requests to this site.
-
Use URL Rewrite Module:
- Install the URL Rewrite module if not already installed.
- Add rules to redirect non-www and HTTP to
https://www.example.com.
Example rule:
<rule name="Redirect to WWW and HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTP_HOST}" pattern="^example\.com$" /> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" /> </rule>
On Apache
-
Enable mod_rewrite:
a2enmod rewrite -
Add to
.htaccessor virtual host config:RewriteEngine On RewriteCond %{HTTP_HOST} ^example\.com [NC,OR] RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]
ref: https://stackoverflow.com/questions/13977851/htaccess-redirect-to-https-www