FYI I had this running on the site for a few hours but I found out that some third party javascript calendar popups that were within the site stopped working because of it:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^/?$ [%{SERVER_NAME}...] [R=301,L]

If you force HTTPS for one URL, you need to force HTTP for the rest of the site, otherwise when following internal relative links you will continue browsing round the rest of the site using HTTPS still.

There's hundreds of prior examples of useful code here. I know that the HTTP/HTTPS issue has been discussed several times in the last few weeks alone.

Something like:

RewriteEngine on
#
# Redirect HTTP request for home page URL to HTTPS
RewriteCond %{HTTPS} =off
RewriteRule ^(index\.php)?$ https://www.example.com/ [R=301,L]
#
# Redirect all HTTPS requests to HTTP except for home-page and included-object requests
RewriteCond %{HTTPS} !=off
RewriteCond $1 !\.(gif|jpe?g|png|ico|css|js)$
RewriteCond $1 !^index\.php$
RewriteCond ^(.+)$ http://www.example.com/$1 [R=301,L]

The RewriteCond exclusions are to prevent "included objects" on HTTPS pages from being forced to HTTP, which would result in "Mixed secure/insecure content" warnings in the browser, scaring off visitors. Adjust that filetype list to suit, and order the filetypes from most- to least-frequently requested for best results.

An alternative method would be to explicitly check for .php, .htm, and .html "page" filetypes, and redirect only those to HTTP. Use whichever method results in the shortest and/or easiest-to-maintain list.

On some server configurations, testing %{HTTPS} doesn't work. In those cases, it is necessary to use the 'native' %{SERVER_PORT} variable, and test for "=80" and "!=80" (the common HTTP port), or "!=443" and "=443" (common HTTPS port) -- as you prefer.

Jim