Enforcing HTTPS with HTTP to HTTPS Redirects
Learn how to redirect HTTP traffic to HTTPS safely, avoid redirect loops, fix mixed content and test redirect behavior after SSL installation.
Introduction
After installing an SSL/TLS certificate, visitors may still reach the insecure HTTP version of a website unless HTTPS is enforced. An HTTP to HTTPS redirect sends visitors, search engines and integrations from the insecure version to the secure HTTPS version.
A good HTTPS redirect should be simple, permanent and consistent. A bad redirect can cause loops, long redirect chains, broken forms, SEO problems, mixed content warnings or failed API callbacks.
Quick answer
To enforce HTTPS, first make sure the SSL certificate is valid for the exact hostname. Then add a permanent 301 redirect from HTTP to HTTPS at the server, hosting panel, CDN or application level. Test root, www and important subdomains to avoid loops or redirect chains.
HTTP to HTTPS redirect
An HTTP to HTTPS redirect automatically sends visitors from the insecure version of a URL to the secure version.
http://example.com
redirects to:
https://example.com
The SSL certificate must be valid before the HTTPS destination can load without browser warnings.
Why redirect to HTTPS
HTTPS redirects help make sure visitors and search engines use the secure version of your website.
- Users land on the secure version
- Forms and logins avoid insecure HTTP
- Search engines see one preferred version
- Analytics and canonical signals are cleaner
- Old HTTP links still work
- Browser “Not Secure” warnings are reduced
A redirect does not fix an invalid certificate. SSL must be valid first.
Where to configure redirects
Hosting panel
Many shared hosting providers have a “Force HTTPS” or “HTTPS Redirect” option.
cPanel / Plesk
Redirects can often be enabled per domain or through web server rules.
Nginx
Redirects are usually configured in the server block.
Apache / .htaccess
Redirects can be configured with RewriteRule or Redirect directives.
CDN / proxy
Cloudflare, CDN or reverse proxy may enforce HTTPS at the edge.
Application / CMS
WordPress or other apps may enforce HTTPS, but server-level redirects are usually cleaner.
Avoid enabling conflicting HTTPS redirects in too many places at once.
301 vs 302
301 redirect
- Permanent redirect.
- Best for normal HTTP to HTTPS migration.
302 redirect
- Temporary redirect.
- Useful for short-term tests, but not ideal as the final HTTPS redirect.
For most production websites, HTTP to HTTPS should use 301 once SSL is working correctly.
Root and www
HTTPS enforcement should also respect your preferred hostname.
http://www.example.com → https://example.com
http://example.com → https://example.com
http://example.com → https://www.example.com
http://www.example.com → https://www.example.com
Choose one canonical hostname and redirect all variants consistently.
Why this matters
HTTPS redirects matter because installing SSL does not automatically guarantee that every visitor uses HTTPS. Without a redirect, old links, bookmarks, search results or typed URLs may still open the HTTP version.
Redirect quality also affects SEO and performance. A clean one-step redirect is better than multiple chained redirects.
How to check redirects
Use Website Status Checker or HTTP Header Checker to inspect redirect status codes and final URLs.
When checking HTTPS redirects, review
These seven checks help confirm redirects work correctly.
HTTP status code
Confirm HTTP returns 301 or the intended redirect code.
Final URL
Confirm the redirect lands on the correct HTTPS hostname.
Redirect chain
Avoid multiple unnecessary hops.
Redirect loops
Confirm the page does not bounce between URLs.
Root and www
Test both example.com and www.example.com.
Subdomains
Test important subdomains separately.
Mixed content
After HTTPS loads, check whether assets still load over HTTP.
Check HTTPS redirect
Use Website Status Checker to verify status codes, redirect chains and final HTTPS URL.
Common problems
No HTTP to HTTPS redirect
MediumThe site supports HTTPS, but HTTP still loads without redirecting.
Next step: Enable a 301 redirect from HTTP to HTTPS.
Redirect loop
HighThe site redirects repeatedly between HTTP and HTTPS or between root and www.
Next step: Check hosting, CDN, proxy and application redirect rules for conflicts.
Redirect chain too long
MediumThe URL redirects through several steps before reaching the final page.
Next step: Simplify rules so HTTP goes directly to the final HTTPS canonical URL.
SSL certificate invalid before redirect
HighThe HTTPS destination has an invalid or mismatched certificate.
Next step: Fix SSL certificate coverage before enforcing HTTPS.
Root and www redirect inconsistently
MediumRoot and www versions lead to different final URLs.
Next step: Choose one canonical hostname and redirect all variants consistently.
CDN and origin rules conflict
HighCDN HTTPS settings and origin server rules fight each other.
Next step: Review CDN SSL mode, edge redirects and origin redirects together.
WordPress site URL still uses HTTP
MediumWordPress settings or database URLs still point to HTTP.
Next step: Update site URL, home URL and internal links to HTTPS.
Mixed content after redirect
MediumThe page is HTTPS, but assets still load over HTTP.
Next step: Update images, scripts, stylesheets, fonts and iframe URLs to HTTPS.
API or webhook callback breaks
MediumExternal systems may not follow redirects or may require exact callback URLs.
Next step: Update callback URLs to the final HTTPS endpoint.
How to enforce HTTPS
-
Step 1: Verify SSL first
Use SSL Checker to confirm the certificate is valid for root, www and required subdomains.
-
Step 2: Choose canonical hostname
Decide whether the final version should be https://example.com or https://www.example.com.
-
Step 3: Add one clean redirect rule
Redirect HTTP directly to the final HTTPS URL with a 301.
-
Step 4: Avoid duplicate redirect systems
Do not create conflicting rules in hosting panel, CDN, .htaccess, Nginx and WordPress at the same time.
-
Step 5: Update application URLs
Update CMS settings, canonical tags, sitemap URLs, internal links and asset URLs to HTTPS.
-
Step 6: Test root, www and subdomains
Confirm each important URL reaches the correct final HTTPS version.
-
Step 7: Check for mixed content
Fix insecure images, scripts, stylesheets, fonts and embedded resources.
-
Step 8: Monitor after launch
Watch for redirect loops, 404s, checkout issues, API failures and SEO crawl errors.
Redirect examples
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
curl -I http://example.com
Expected:
HTTP/1.1 301 Moved Permanently
Location: https://example.com/
These examples are illustrative. Adjust rules for your real domain, web server, CDN and preferred hostname.
CDN and proxy
If a CDN or reverse proxy is used, redirects may happen at the CDN edge, origin server or both.
- CDN SSL mode
- Edge HTTPS redirect setting
- Origin HTTP to HTTPS redirect
- Forwarded protocol headers
- Proxy-to-origin SSL
- Page rules or redirect rules
- Whether WordPress or app detects HTTPS correctly
Many redirect loops happen because the origin server thinks the request is HTTP while the CDN already served HTTPS to the visitor.
SEO migration
For SEO, keep the migration clean and consistent.
- Use 301 redirects
- Update canonical tags to HTTPS
- Update sitemap URLs
- Update internal links
- Update robots references if needed
- Avoid redirect chains
- Keep same page paths where possible
- Check Search Console after migration
A clean HTTP to HTTPS migration should preserve URLs and only change the protocol and hostname strategy.
Frequently asked questions
Do I need a redirect if SSL is installed?
Yes, if you want all visitors to use HTTPS automatically.
Should HTTP to HTTPS use 301 or 302?
Use 301 for normal permanent HTTPS enforcement after SSL is working.
Can a redirect fix an invalid SSL certificate?
No. The HTTPS certificate must be valid for the destination hostname.
Why do I get a redirect loop?
Common causes include conflicting CDN, server, hosting panel or application redirect rules.
Should I redirect to www or non-www?
Either is fine. Choose one canonical hostname and redirect all variants consistently.
Can HTTPS redirects affect SEO?
Yes. Clean 301 redirects are important. Avoid long chains, loops and inconsistent canonical URLs.
Why does my HTTPS page still show insecure warnings?
The certificate may be valid, but the page may still load mixed content over HTTP.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!