How to Redirect HTTP to HTTPS Without Breaking Your Site

SEO

Vincent

06/07/2024

16

In technical SEO, to redirect HTTP to HTTPS, install a valid SSL/TLS certificate first, then choose where the redirect rule belongs. The right method depends on your server, hosting panel, CDN etc. A safe setup uses a permanent redirect, avoids duplicate rules, and tests the final HTTPS path before launch.

Quick ways to redirect HTTP to HTTPS

A HTTP to HTTPS redirect sends visitors from the unsecured URL to the secure version. Search engines also use the redirect as a signal when the secure page should replace the old version in search results. Google recommends permanent server-side redirects when a URL has moved permanently, with 301 and 308 treated as permanent move signals.

Use this table to choose the right method.

EnvironmentBest methodTypical owner
Apache with server accessVirtualHost redirectDeveloper or hosting team
Apache shared hosting.htaccess rewriteDeveloper or SEO technical owner
NginxServer block redirectDeveloper or DevOps
Windows IISURL Rewrite ruleWindows server admin
cPanelForce HTTPS RedirectWebsite owner or hosting team
CloudflareAlways Use HTTPS or Redirect RuleCDN owner
WordPressHosting-level redirect firstDeveloper or site admin

For business-critical templates such as checkout, login, lead forms etc., treat the redirect as a release task. A broken redirect on a blog archive may create inconvenience, while a broken redirect on checkout can block revenue.

Apache .htaccess redirect

Use this method when the site runs on Apache-compatible hosting and you can edit .htaccess. For more complex Apache cases, such as page-level moves or folder redirects, review a separate Apache redirect rule setup before editing the live file.

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This rule checks whether the request uses HTTP. When it does, Apache sends the visitor to the same host and request URI over HTTPS.

Apache VirtualHost redirect

Use server configuration when you control Apache VirtualHost files.

<VirtualHost *:80>

ServerName example.com

ServerAlias www.example.com

Redirect permanent / https://example.com/

</VirtualHost>

Apache documents mod_rewrite as a rule-based engine that can rewrite requested URLs or redirect one URL to another.

Nginx redirect

Use a dedicated port 80 server block for the HTTP version.

server {

listen 80;

server_name example.com www.example.com;

return 301 https://example.com$request_uri;

}

This sends every HTTP request to the HTTPS canonical host while preserving the path and query string.

Windows IIS redirect

IIS sites usually use URL Rewrite. A common rule checks {HTTPS} and redirects only when the request is still HTTP.

<rule name=”HTTP to HTTPS Redirect” stopProcessing=”true”>

<match url=”(.*)” />

<conditions>

<add input=”{HTTPS}” pattern=”^OFF$” />

</conditions>

<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />

</rule>

The {HTTPS} condition matters because it prevents the rule from firing on requests that are already secure.

Cloudflare redirect

If Cloudflare manages your traffic, Always Use HTTPS can redirect HTTP requests at the edge. Cloudflare says this feature redirects HTTP requests to HTTPS across all hosts in the application.

Use this only after checking your origin server. A CDN rule and an origin rule can conflict when SSL/TLS mode is misaligned.

What are HTTP and HTTPS?

HTTP is the protocol a browser uses to request webpages. HTTPS adds encryption through SSL/TLS, which protects data while it travels between the browser and the server. A redirect from HTTP to HTTPS makes the secure version the normal entry path for visitors.

For users, HTTPS supports trust because browsers show stronger security signals on protected pages. For businesses, the impact becomes clear on forms, payment paths, account pages etc. Sensitive templates should send users to the secure version automatically.

For SEO, the redirect helps consolidate URL versions. The final HTTPS URL should also appear in internal links, canonical tags, sitemap files etc.

Before you redirect HTTP to HTTPS

A redirect should happen after the SSL/TLS setup is ready. When the certificate is missing, expired, or installed on the wrong host, forcing HTTPS can move users from a working HTTP page to a browser warning.

Use this pre-launch checklist.

CheckWhy it matters
SSL certificate is validHTTPS needs a trusted certificate
Canonical host is chosenPrevents root vs www conflict
Existing redirects are reviewedAvoids chains or loops
Server rules are backed upAllows fast rollback
CDN settings are checkedPrevents edge-origin conflict
Staging is tested when possibleProtects high-value pages

The canonical host decision should come before writing rules. Choose either https://example.com or https://www.example.com, then make every other version point there.

Which status code should you use?

HTTP redirects use 3xx status codes and a Location header that tells the browser where to go. Browsers load the new URL from the Location header after receiving a redirect response.

StatusMeaningUse case
301Permanent redirectStable HTTP to HTTPS migration
308Permanent redirect with method preservedPermanent move where method handling matters
302Temporary redirectShort-term routing
307Temporary redirect with method preservedTemporary move where method handling matters

For most websites, 301 is the common choice for HTTP to HTTPS. A 308 can also represent a permanent move, while 308 preserves the request method and body during the redirected request.

How to redirect HTTP to HTTPS on different platforms

The best implementation depends on your stack. Use the method that matches your environment, then run the testing checklist afterward.

Redirect HTTP to HTTPS on WordPress

WordPress sites often run through several layers: CMS settings, plugins, hosting cache, CDN rules etc. Start with the hosting-level redirect when your host provides one. This is usually cleaner than adding several plugin rules.

Check these items first:

WordPress areaWhat to verify
WordPress AddressUses the intended HTTPS version
Site AddressMatches the canonical host
SSL pluginAvoid duplicate force-HTTPS rules
Cache pluginClear after redirect changes
CDN pluginAlign with CDN SSL mode
.htaccessReview custom rewrite rules

If WordPress admin becomes inaccessible after a change, review the redirect chain before disabling everything. The loop may come from a plugin, but it may also come from Cloudflare, .htaccess, or a host panel setting.

Redirect HTTP to HTTPS on Apache

Apache gives two common paths: VirtualHost or .htaccess. Use VirtualHost when server configuration access exists. Use .htaccess when the host only allows directory-level changes.

For .htaccess, place the rule near the top of the file, before CMS rewrite blocks when appropriate.

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

For WordPress, avoid editing inside the generated block unless the developer confirms the change.

Redirect HTTP to HTTPS on Nginx

Nginx handles this through server blocks. A simple HTTP block can return a permanent redirect to HTTPS.

server {

listen 80;

server_name example.com www.example.com;

return 301 https://example.com$request_uri;

}

After editing the config, test before reload:

nginx -t

sudo systemctl reload nginx

For high-traffic templates, ask DevOps to check logs after deployment. A misplaced server block can affect the homepage, API endpoints, static assets etc.

Redirect HTTP to HTTPS on Windows IIS

A practical IIS workflow:

  1. Install URL Rewrite if it is missing.
  2. Open IIS Manager.
  3. Select the target website.
  4. Open URL Rewrite.
  5. Add a blank inbound rule.
  6. Match URL pattern (.*).
  7. Add a condition for {HTTPS} with pattern ^OFF$.
  8. Set action type to Redirect.
  9. Use https://{HTTP_HOST}/{R:1} as the target.
  10. Choose Permanent 301.
  11. Apply the rule.
  12. Test HTTP and HTTPS versions.

The condition prevents the rule from redirecting a request that is already secure.

Redirect HTTP to HTTPS on Cloudflare

Cloudflare can redirect HTTP traffic before the request reaches your origin server. Always Use HTTPS is the simplest edge setting, while Redirect Rules give more control.

Before enabling it, check the SSL/TLS mode.

Cloudflare setupRisk to review
Flexible modeOrigin HTTP-to-HTTPS redirect can loop
Full modeOrigin certificate still needs review
Full strictCertificate must validate properly
Always Use HTTPSOrigin should avoid conflicting rules
HSTSBrowser behavior becomes stricter

Cloudflare warns that redirect loops can happen when SSL/TLS mode conflicts with origin server settings. In Flexible mode, Cloudflare sends HTTP to the origin, and a loop can appear if the origin redirects HTTP back to HTTPS.

A simplified loop looks like this:

Browser requests HTTPS

Cloudflare sends HTTP to origin

Origin forces HTTPS

Loop continues

Redirect HTTP to HTTPS in cPanel

Many cPanel environments include a Force HTTPS Redirect option. This is useful for site owners who do not want to edit .htaccess manually.

General process:

  1. Confirm SSL is installed.
  2. Open the Domains section.
  3. Choose the target domain.
  4. Enable Force HTTPS Redirect.
  5. Clear site cache.
  6. Test the HTTP URL.

When cPanel and .htaccess both force HTTPS, the redirect may still work. The risk appears during troubleshooting because two places now control the same behavior.

How to find where an HTTPS redirect comes from

Some websites already redirect to HTTPS, but the owner does not know which layer is doing it. That matters before adding a new rule.

Use this diagnostic table.

SignalLikely source
Redirect disappears when CDN proxy is pausedCDN setting
Redirect happens before origin receives requestEdge rule
Redirect appears only on Apache hosting.htaccess or VirtualHost
Redirect appears only on IISweb.config or URL Rewrite
Redirect changes after plugin deactivationCMS plugin
Redirect alternates HTTP and HTTPSCDN-origin conflict
Redirect affects only one pathApplication rule

Open the Network tab in browser DevTools, then load the HTTP version. Look for the first 301 or 308 response. The Location header reveals the next URL.

A simple command can show the redirect without loading the page:

curl -I http://example.com/service-page/

The response should show a 301 or 308 status and a Location header pointing to the HTTPS version.

How to test your HTTP to HTTPS redirect

Testing should cover more than “the page loads.” A redirect can load successfully while still creating a chain, mixed content issue, or weak canonical signal.

CheckPass condition
Status codeHTTP returns 301 or 308
DestinationHTTPS URL matches intended page
Hop countOne redirect where possible
CanonicalHTTPS page references the correct canonical
Internal linksUse HTTPS directly
SitemapLists HTTPS URLs
Mixed contentNo HTTP assets remain
CDN-origin behaviorNo loop or conflict
Search ConsoleHTTPS property and sitemap are checked

QA checklist for HTTP to HTTPS redirects testing status codes mixed content and canonicalsBeyond checking the 301 status code, you must verify that internal links are updated, canonical tags point to HTTPS, and no mixed content warnings block secure assets.

MDN notes that redirects add an extra HTTP request and advises fixing internal links where possible instead of relying on internal redirects.

The final HTTPS URL should also match the original user intent. If the HTTP version of a service page redirects to the homepage, users lose the commercial path they expected.

After launch, use a Search Console missing-page check if old HTTP URLs, outdated sitemap entries, or broken redirect targets start appearing as 404 issues.

Common HTTP to HTTPS redirect mistakes

Most HTTPS migration issues come from duplicate redirect layers or weak QA.

MistakeWhat happensBetter action
Redirect before SSL worksUsers hit warningsInstall and validate certificate first
CDN and origin disagreeRedirect loop appearsAlign SSL/TLS mode and origin rule
Internal links stay HTTPExtra requests continueUpdate templates and content
Mixed content remainsBrowser blocks assetsReplace HTTP resources
Wrong host is canonicalRoot and www conflictChoose one host before launch
Plugin plus server both force HTTPSDebugging becomes harderKeep one main redirect source

When users report ERR_TOO_MANY_REDIRECTS after a redirect change, inspect the chain first. Adding another rule usually makes the problem harder to trace. A repeated HTTP and HTTPS loop should be handled as a redirect loop diagnosis before the team changes Cloudflare, plugin, or server rules again.

HTTP to HTTPS redirect FAQ

What is the best way to redirect HTTP to HTTPS?

The best method depends on your environment. Use server configuration when you control the server. Use .htaccess for Apache shared hosting. Use URL Rewrite for IIS. Use Cloudflare only when the CDN and origin configuration agree.

Should I use 301 or 308 for HTTP to HTTPS?

Use 301 for most standard website migrations. A 308 is also permanent and preserves the request method, which can matter for certain non-GET requests. Google treats both 301 and 308 as permanent redirects for moved URLs.

Can I redirect HTTP to HTTPS without .htaccess?

Yes. Nginx uses server blocks, IIS can use URL Rewrite, cPanel may provide Force HTTPS Redirect, while Cloudflare can redirect at the edge. .htaccess only applies to Apache-compatible hosting.

Why does Cloudflare already redirect HTTP to HTTPS?

Cloudflare may redirect HTTP to HTTPS through Always Use HTTPS, Redirect Rules, HSTS behavior, or another edge setting. Check Cloudflare settings before adding another rule at the origin.

Why do I get too many redirects after forcing HTTPS?

This usually means two layers disagree. A common case is CDN-to-origin behavior where Cloudflare sends HTTP to the origin, while the origin sends the same request back to HTTPS.

Do I need to update internal links after enabling HTTPS redirects?

Yes. The redirect protects users who arrive through old HTTP URLs, but internal links should point directly to HTTPS. Direct links reduce extra requests and make the final URL clearer for crawlers.

Final thoughts

A HTTP to HTTPS redirect should be handled as a migration step, not just a security toggle. Start with a valid certificate, choose the canonical host, pick one redirect source, then test key templates.

For business-critical pages, assign the work clearly. SEO can define priority paths and post-launch checks. Development can validate server rules. The hosting or CDN owner can confirm where the redirect is applied. When those responsibilities are clear, the HTTPS migration becomes easier to maintain and safer for users.

 

Vincent On
AUTHOR

Vincent On

Vincent On is the Founder & Managing Director of On Digitals. With a background in Information Technology and Information Systems from Deakin University, Melbourne, he connects strategy, data and execution into one accountable growth system — across SEO, content, media, outreach and technology. His articles help marketing leaders turn search and AI visibility into measurable business growth.


Back to list

Read more

    NEED HELP with digital growth?
    Tell us about your business challenge and let's discuss together