How to Redirect HTTP to HTTPS Without Breaking Your Site
Vincent
06/07/2024
16
In technical SEO, to redirect HTTP to HTTPS, install a valid SSL/TLS certificate first, then choose where the redirect rule belongs. The right method depends on your server, hosting panel, CDN etc. A safe setup uses a permanent redirect, avoids duplicate rules, and tests the final HTTPS path before launch.
Quick ways to redirect HTTP to HTTPS
A HTTP to HTTPS redirect sends visitors from the unsecured URL to the secure version. Search engines also use the redirect as a signal when the secure page should replace the old version in search results. Google recommends permanent server-side redirects when a URL has moved permanently, with 301 and 308 treated as permanent move signals.
Use this table to choose the right method.
| Environment | Best method | Typical owner |
| Apache with server access | VirtualHost redirect | Developer or hosting team |
| Apache shared hosting | .htaccess rewrite | Developer or SEO technical owner |
| Nginx | Server block redirect | Developer or DevOps |
| Windows IIS | URL Rewrite rule | Windows server admin |
| cPanel | Force HTTPS Redirect | Website owner or hosting team |
| Cloudflare | Always Use HTTPS or Redirect Rule | CDN owner |
| WordPress | Hosting-level redirect first | Developer or site admin |
For business-critical templates such as checkout, login, lead forms etc., treat the redirect as a release task. A broken redirect on a blog archive may create inconvenience, while a broken redirect on checkout can block revenue.
Apache .htaccess redirect
Use this method when the site runs on Apache-compatible hosting and you can edit .htaccess. For more complex Apache cases, such as page-level moves or folder redirects, review a separate Apache redirect rule setup before editing the live file.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
This rule checks whether the request uses HTTP. When it does, Apache sends the visitor to the same host and request URI over HTTPS.
Apache VirtualHost redirect
Use server configuration when you control Apache VirtualHost files.
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
Apache documents mod_rewrite as a rule-based engine that can rewrite requested URLs or redirect one URL to another.
Nginx redirect
Use a dedicated port 80 server block for the HTTP version.
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
This sends every HTTP request to the HTTPS canonical host while preserving the path and query string.
Windows IIS redirect
IIS sites usually use URL Rewrite. A common rule checks {HTTPS} and redirects only when the request is still HTTP.
<rule name=”HTTP to HTTPS Redirect” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”^OFF$” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />
</rule>
The {HTTPS} condition matters because it prevents the rule from firing on requests that are already secure.
Cloudflare redirect
If Cloudflare manages your traffic, Always Use HTTPS can redirect HTTP requests at the edge. Cloudflare says this feature redirects HTTP requests to HTTPS across all hosts in the application.
Use this only after checking your origin server. A CDN rule and an origin rule can conflict when SSL/TLS mode is misaligned.
What are HTTP and HTTPS?
HTTP is the protocol a browser uses to request webpages. HTTPS adds encryption through SSL/TLS, which protects data while it travels between the browser and the server. A redirect from HTTP to HTTPS makes the secure version the normal entry path for visitors.
For users, HTTPS supports trust because browsers show stronger security signals on protected pages. For businesses, the impact becomes clear on forms, payment paths, account pages etc. Sensitive templates should send users to the secure version automatically.
For SEO, the redirect helps consolidate URL versions. The final HTTPS URL should also appear in internal links, canonical tags, sitemap files etc.
Before you redirect HTTP to HTTPS
A redirect should happen after the SSL/TLS setup is ready. When the certificate is missing, expired, or installed on the wrong host, forcing HTTPS can move users from a working HTTP page to a browser warning.
Use this pre-launch checklist.
| Check | Why it matters |
| SSL certificate is valid | HTTPS needs a trusted certificate |
| Canonical host is chosen | Prevents root vs www conflict |
| Existing redirects are reviewed | Avoids chains or loops |
| Server rules are backed up | Allows fast rollback |
| CDN settings are checked | Prevents edge-origin conflict |
| Staging is tested when possible | Protects high-value pages |
The canonical host decision should come before writing rules. Choose either https://example.com or https://www.example.com, then make every other version point there.
Which status code should you use?
HTTP redirects use 3xx status codes and a Location header that tells the browser where to go. Browsers load the new URL from the Location header after receiving a redirect response.
| Status | Meaning | Use case |
| 301 | Permanent redirect | Stable HTTP to HTTPS migration |
| 308 | Permanent redirect with method preserved | Permanent move where method handling matters |
| 302 | Temporary redirect | Short-term routing |
| 307 | Temporary redirect with method preserved | Temporary move where method handling matters |
For most websites, 301 is the common choice for HTTP to HTTPS. A 308 can also represent a permanent move, while 308 preserves the request method and body during the redirected request.
How to redirect HTTP to HTTPS on different platforms
The best implementation depends on your stack. Use the method that matches your environment, then run the testing checklist afterward.
Redirect HTTP to HTTPS on WordPress
WordPress sites often run through several layers: CMS settings, plugins, hosting cache, CDN rules etc. Start with the hosting-level redirect when your host provides one. This is usually cleaner than adding several plugin rules.
Check these items first:
| WordPress area | What to verify |
| WordPress Address | Uses the intended HTTPS version |
| Site Address | Matches the canonical host |
| SSL plugin | Avoid duplicate force-HTTPS rules |
| Cache plugin | Clear after redirect changes |
| CDN plugin | Align with CDN SSL mode |
| .htaccess | Review custom rewrite rules |
If WordPress admin becomes inaccessible after a change, review the redirect chain before disabling everything. The loop may come from a plugin, but it may also come from Cloudflare, .htaccess, or a host panel setting.
Redirect HTTP to HTTPS on Apache
Apache gives two common paths: VirtualHost or .htaccess. Use VirtualHost when server configuration access exists. Use .htaccess when the host only allows directory-level changes.
For .htaccess, place the rule near the top of the file, before CMS rewrite blocks when appropriate.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
For WordPress, avoid editing inside the generated block unless the developer confirms the change.
Redirect HTTP to HTTPS on Nginx
Nginx handles this through server blocks. A simple HTTP block can return a permanent redirect to HTTPS.
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
After editing the config, test before reload:
nginx -t
sudo systemctl reload nginx
For high-traffic templates, ask DevOps to check logs after deployment. A misplaced server block can affect the homepage, API endpoints, static assets etc.
Redirect HTTP to HTTPS on Windows IIS
A practical IIS workflow:
- Install URL Rewrite if it is missing.
- Open IIS Manager.
- Select the target website.
- Open URL Rewrite.
- Add a blank inbound rule.
- Match URL pattern (.*).
- Add a condition for {HTTPS} with pattern ^OFF$.
- Set action type to Redirect.
- Use https://{HTTP_HOST}/{R:1} as the target.
- Choose Permanent 301.
- Apply the rule.
- Test HTTP and HTTPS versions.
The condition prevents the rule from redirecting a request that is already secure.
Redirect HTTP to HTTPS on Cloudflare
Cloudflare can redirect HTTP traffic before the request reaches your origin server. Always Use HTTPS is the simplest edge setting, while Redirect Rules give more control.
Before enabling it, check the SSL/TLS mode.
| Cloudflare setup | Risk to review |
| Flexible mode | Origin HTTP-to-HTTPS redirect can loop |
| Full mode | Origin certificate still needs review |
| Full strict | Certificate must validate properly |
| Always Use HTTPS | Origin should avoid conflicting rules |
| HSTS | Browser behavior becomes stricter |
Cloudflare warns that redirect loops can happen when SSL/TLS mode conflicts with origin server settings. In Flexible mode, Cloudflare sends HTTP to the origin, and a loop can appear if the origin redirects HTTP back to HTTPS.
A simplified loop looks like this:
Browser requests HTTPS
↓
Cloudflare sends HTTP to origin
↓
Origin forces HTTPS
↓
Loop continues
Redirect HTTP to HTTPS in cPanel
Many cPanel environments include a Force HTTPS Redirect option. This is useful for site owners who do not want to edit .htaccess manually.
General process:
- Confirm SSL is installed.
- Open the Domains section.
- Choose the target domain.
- Enable Force HTTPS Redirect.
- Clear site cache.
- Test the HTTP URL.
When cPanel and .htaccess both force HTTPS, the redirect may still work. The risk appears during troubleshooting because two places now control the same behavior.
How to find where an HTTPS redirect comes from
Some websites already redirect to HTTPS, but the owner does not know which layer is doing it. That matters before adding a new rule.
Use this diagnostic table.
| Signal | Likely source |
| Redirect disappears when CDN proxy is paused | CDN setting |
| Redirect happens before origin receives request | Edge rule |
| Redirect appears only on Apache hosting | .htaccess or VirtualHost |
| Redirect appears only on IIS | web.config or URL Rewrite |
| Redirect changes after plugin deactivation | CMS plugin |
| Redirect alternates HTTP and HTTPS | CDN-origin conflict |
| Redirect affects only one path | Application rule |
Open the Network tab in browser DevTools, then load the HTTP version. Look for the first 301 or 308 response. The Location header reveals the next URL.
A simple command can show the redirect without loading the page:
curl -I http://example.com/service-page/
The response should show a 301 or 308 status and a Location header pointing to the HTTPS version.
How to test your HTTP to HTTPS redirect
Testing should cover more than “the page loads.” A redirect can load successfully while still creating a chain, mixed content issue, or weak canonical signal.
| Check | Pass condition |
| Status code | HTTP returns 301 or 308 |
| Destination | HTTPS URL matches intended page |
| Hop count | One redirect where possible |
| Canonical | HTTPS page references the correct canonical |
| Internal links | Use HTTPS directly |
| Sitemap | Lists HTTPS URLs |
| Mixed content | No HTTP assets remain |
| CDN-origin behavior | No loop or conflict |
| Search Console | HTTPS property and sitemap are checked |
Beyond checking the 301 status code, you must verify that internal links are updated, canonical tags point to HTTPS, and no mixed content warnings block secure assets.
MDN notes that redirects add an extra HTTP request and advises fixing internal links where possible instead of relying on internal redirects.
The final HTTPS URL should also match the original user intent. If the HTTP version of a service page redirects to the homepage, users lose the commercial path they expected.
After launch, use a Search Console missing-page check if old HTTP URLs, outdated sitemap entries, or broken redirect targets start appearing as 404 issues.
Common HTTP to HTTPS redirect mistakes
Most HTTPS migration issues come from duplicate redirect layers or weak QA.
| Mistake | What happens | Better action |
| Redirect before SSL works | Users hit warnings | Install and validate certificate first |
| CDN and origin disagree | Redirect loop appears | Align SSL/TLS mode and origin rule |
| Internal links stay HTTP | Extra requests continue | Update templates and content |
| Mixed content remains | Browser blocks assets | Replace HTTP resources |
| Wrong host is canonical | Root and www conflict | Choose one host before launch |
| Plugin plus server both force HTTPS | Debugging becomes harder | Keep one main redirect source |
When users report ERR_TOO_MANY_REDIRECTS after a redirect change, inspect the chain first. Adding another rule usually makes the problem harder to trace. A repeated HTTP and HTTPS loop should be handled as a redirect loop diagnosis before the team changes Cloudflare, plugin, or server rules again.
HTTP to HTTPS redirect FAQ
What is the best way to redirect HTTP to HTTPS?
The best method depends on your environment. Use server configuration when you control the server. Use .htaccess for Apache shared hosting. Use URL Rewrite for IIS. Use Cloudflare only when the CDN and origin configuration agree.
Should I use 301 or 308 for HTTP to HTTPS?
Use 301 for most standard website migrations. A 308 is also permanent and preserves the request method, which can matter for certain non-GET requests. Google treats both 301 and 308 as permanent redirects for moved URLs.
Can I redirect HTTP to HTTPS without .htaccess?
Yes. Nginx uses server blocks, IIS can use URL Rewrite, cPanel may provide Force HTTPS Redirect, while Cloudflare can redirect at the edge. .htaccess only applies to Apache-compatible hosting.
Why does Cloudflare already redirect HTTP to HTTPS?
Cloudflare may redirect HTTP to HTTPS through Always Use HTTPS, Redirect Rules, HSTS behavior, or another edge setting. Check Cloudflare settings before adding another rule at the origin.
Why do I get too many redirects after forcing HTTPS?
This usually means two layers disagree. A common case is CDN-to-origin behavior where Cloudflare sends HTTP to the origin, while the origin sends the same request back to HTTPS.
Do I need to update internal links after enabling HTTPS redirects?
Yes. The redirect protects users who arrive through old HTTP URLs, but internal links should point directly to HTTPS. Direct links reduce extra requests and make the final URL clearer for crawlers.
Final thoughts
A HTTP to HTTPS redirect should be handled as a migration step, not just a security toggle. Start with a valid certificate, choose the canonical host, pick one redirect source, then test key templates.
For business-critical pages, assign the work clearly. SEO can define priority paths and post-launch checks. Development can validate server rules. The hosting or CDN owner can confirm where the redirect is applied. When those responsibilities are clear, the HTTPS migration becomes easier to maintain and safer for users.
NEWEST POSTS
- Advertising Industry In Vietnam: The 2026 Trends, Channels and Market-Entry Strategy
- Best SEO Company in Vietnam: Latest Shortlist For Businesses
- How To Leverage Social Media For Customer Service Like A Pro?
- Social Media Post Tips – 8 Ways To Boost Engagement
- How To Use Social Media for Sales – In-depth Beginner Guide
Read more
