Forcing the domain to serve securely using HTTPS (for any site)
The following forces any http request to be rewritten using https. For example, the following code forces a request to http://example.com to load https://example.com. It also forces directly linked resources (images, css, etc.) to use https:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"If this isn't working for you, first check your line endings. Copy/paste from your web browser into a text editor may not work right, so after pasting into your text editor you should delete each line break and add it back in (line break = return key).
Steps for cPanel
The file itself can be found if you go to cPanel >> File Manager. There, find the document root of your website. For primary cPanel domains, the folder is usually ‘public_html’. If the website is an add-on, you can look up its document root in Addon domains section.
When you find the folder, the .htaccess file may already be there. To double-check it, click Settings in the top-right corner and tick Show hidden files (dotfiles).
If the file did not appear, feel free to create it by clicking +File. Make sure to name the file .htaccess, starting with the dot.
To open the file, right-click it, then click Edit. In the next pop-up window, click Edit as well.
Now add the following code to the top of .htacess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"