I am using a simple HTTP to HTTPS redirect on my website through .htaccess in the root directory. My phpBB3 forum is installed in a subdirectory and has its own .htaccess file that comes in with the installation.

The problem is that phpBB's htaccess file seems to overwrite the simple redirect I have in my root directory:

RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://example.com/$1 [R,L]

As a result, the boards can be browsed using the HTTP protocol which is unsecure - especially when there are internal links on the forums.

I think HTTP authentication should be blocked altogether, especially if SSL is enabled in the forum options. It's very easy to check if the user is connected through HTTPS using PHP.