How to Redirect HTTP to HTTPS

After installing an SSL certificate, you need to redirect all HTTP traffic to HTTPS to ensure visitors always use the secure version of your site. This guide covers redirect methods for the most common server platforms.

Why Redirect HTTP to HTTPS?

Security: Ensures all visitors use the encrypted connection.
SEO: Prevents duplicate content issues (HTTP and HTTPS versions of the same page).
User trust: Visitors always see the padlock icon.
Browser compatibility: Avoids “Not Secure” warnings on HTTP pages.

Method 1: Apache (.htaccess)

Add the following rules to your .htaccess file in the website’s root directory:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect a Specific Domain

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com [NC]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect and Force www

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

Note: After editing .htaccess, clear your browser cache and test the redirect. Use a 301 (permanent) redirect for production sites to ensure search engines update their indexes.

Method 2: Nginx

Add a server block that listens on port 80 and redirects to HTTPS:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/ssl/yourdomain-combined.crt;
    ssl_certificate_key /etc/ssl/yourdomain.key;

    # ... rest of your server configuration
}

After editing, test and reload:

nginx -t
sudo systemctl reload nginx

Method 3: WordPress

Using a Plugin

Install and activate Really Simple SSL.
The plugin automatically detects your SSL certificate and configures the redirect.

Manual WordPress Configuration

Go to Settings → General.
Update both URLs to use https://:
- WordPress Address (URL): https://example.com
- Site Address (URL): https://example.com
Add the .htaccess redirect rules from Method 1 above.

wp-config.php Method

Add the following above the “That’s all, stop editing!” line in wp-config.php:

define('FORCE_SSL_ADMIN', true);

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

Method 4: Cloudflare

If your site uses Cloudflare:

Log in to your Cloudflare dashboard.
Select your domain.
Go to SSL/TLS → Edge Certificates.
Enable “Always Use HTTPS”.

Cloudflare also supports Automatic HTTPS Rewrites (under SSL/TLS settings) which fixes mixed content by rewriting HTTP URLs to HTTPS.

Method 5: cPanel

Log in to cPanel.
Navigate to Domains or Domains → Redirects.
Look for a “Force HTTPS Redirect” toggle and enable it.

Alternatively, use the .htaccess method described in Method 1 via cPanel’s File Manager.

Method 6: IIS (Windows Server)

Install the URL Rewrite module, then add to your web.config:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Method 7: Using HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always use HTTPS for your domain, even if the user types http://. Add this header to your HTTPS server configuration:

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Warning: Only enable HSTS after confirming HTTPS works perfectly on your site. HSTS is difficult to undo once browsers have cached the policy.

Verifying Your Redirect

Browser Test

Open your browser and type http://yourdomain.com.
The URL should automatically change to https://yourdomain.com.
Check that the padlock icon appears.

Command Line Test

curl -I http://yourdomain.com

You should see a 301 Moved Permanently response with a Location: https://yourdomain.com/ header.

Online Tools

Redirect Checker — verifies redirect chains
SSL Labs — comprehensive SSL/HTTPS analysis

Troubleshooting

Issue	Solution
Redirect loop	Check for conflicting rules in `.htaccess`, server config, and CDN settings
Redirect doesn’t work	Ensure `mod_rewrite` is enabled (Apache) or configuration is reloaded (Nginx)
Mixed content after redirect	Update all internal resource URLs to HTTPS
Too many redirects behind a proxy	Handle the `X-Forwarded-Proto` header to detect HTTPS from the proxy