DirectAdmin HTTPS / www Redirect Issue – Summary
DirectAdmin’s built-in “Force SSL” and www redirect options can unintentionally cause security warnings, even when a website itself is correctly configured. This is not caused by user error or incorrect .htaccess rules, but by how DirectAdmin applies redirects at server level.
What happens
When both HTTPS and www redirection are enabled, visitors often encounter:
http://example.com
→ 301 https://example.com
→ 301 https://www.example.com
→ 200 OK
Each step is a separate external redirect handled before user-level configuration is processed.
Why this causes warnings
HSTS (HTTP Strict Transport Security):
If https://example.com redirects to https://www.example.com without including the HSTS header, the browser does not store an HSTS policy for example.com — even if the final destination includes it.
Security scanners (e.g. internet.nl) correctly report this as missing HSTS for that hostname. This matches real browser behaviour and is not a false positive.
Why .htaccess cannot fix this
The redirect is executed before .htaccess is processed.
If .htaccess is not executed, security headers added there cannot apply to the redirect response. This is an execution-order limitation, not a configuration mistake.
Why it matters
The technically preferred solution is a single redirect:
http://example.com/path
→ 301 https://www.example.com/path
Because the redirect is generated at server level, this must be resolved within DirectAdmin’s configuration.
Key point:
A website can be correctly configured and still appear insecure if the hosting platform applies redirects before user-level security headers are executed.