Redirect HTTP to HTTPS
All HTTP requests must be permanently redirected (301) to HTTPS to prevent users from accessing your site over an insecure connection.
- Redirect `http://example.com` to `https://example.com` with HTTP 301 (permanent redirect)
- Preserve the full path and query string in the redirect: `https://$host$request_uri`
- Use 301 (not 302) so browsers and search engines cache the redirect and future requests go directly to HTTPS
- Configure redirects at the server/CDN level — never rely on client-side JavaScript for security redirects
- After validating HTTPS works, add HSTS to eliminate future HTTP requests entirely
Rule Details
Redirecting HTTP to HTTPS ensures that any user who arrives at your site over plain HTTP is immediately upgraded to an encrypted connection. HTTP redirections (opens in new tab) belong at the server or CDN edge, and HTTPS transport (opens in new tab) should be in place before you ship any login, payment, or form flow.
Code Examples
Nginx
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
# Redirect all HTTP to HTTPS, preserving path and query
return 301 https://$host$request_uri;
}Apache
# Option 1: Using mod_rewrite
<VirtualHost *:80>
ServerName example.com
RewriteEngine On
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
# Option 2: Simpler Redirect directive
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>Caddy
Caddy handles HTTPS and redirects automatically. Explicit configuration:
http://example.com {
redir https://{host}{uri} permanent
}Cloudflare
Dashboard → SSL/TLS → Edge Certificates → Always Use HTTPS toggle.
This applies at the CDN edge before requests reach your origin server.
Vercel
Automatic — all Vercel deployments redirect HTTP to HTTPS by default.
AWS CloudFront
In the distribution settings, set Viewer Protocol Policy to "Redirect HTTP to HTTPS" on each cache behavior.
Why It Matters
Without an HTTP-to-HTTPS redirect, users who type the domain without https:// or follow old links land on the insecure version of the site, exposing session cookies and form data to network attackers.
301 vs 302: Why It Matters
| Status | Meaning | Browser behavior | Search engine |
|---|---|---|---|
| 301 Permanent | The resource has moved permanently | Browser caches redirect; future requests skip HTTP | Transfers link equity to HTTPS URL |
| 302 Temporary | The resource has moved temporarily | Browser re-requests HTTP each time | May continue indexing HTTP URL |
Always use 301 for HTTP-to-HTTPS redirects. The browser will cache it, meaning after the first visit, the browser goes directly to HTTPS without ever making an HTTP request.
Redirect Chain Issues
Avoid multiple hops:
❌ Bad: http://example.com → http://www.example.com → https://www.example.com
✅ Good: http://example.com → https://example.comEach hop adds latency. Configure your server to consolidate the www/non-www preference and HTTP-to-HTTPS redirect into a single 301.
Never rely on JavaScript (window.location.href = 'https://...') for security redirects. JavaScript runs after the HTTP response is received — the insecure request has already been made.
After Redirects: Add HSTS
Once HTTPS and redirects are verified and stable, add the Strict-Transport-Security header to eliminate future HTTP requests entirely. The OWASP transport guidance (opens in new tab) recommends this pairing because browsers that have seen HSTS will upgrade connections internally before making any network request.
Strict-Transport-Security: max-age=31536000; includeSubDomainsExceptions
- Local development or internal-only environments can differ, but production user-facing traffic should still satisfy the transport requirement strictly.
- A redirect or HTTPS control that fails on one hostname, subdomain, or CDN edge path is still a real failure for users and crawlers reaching that surface.
- Fix the strongest transport weakness first instead of treating every downstream symptom as a separate primary issue.
Verification
Automated Checks
- Run an automated security check, scripted probe, or log-based validation against a representative live flow.
Manual Checks
- Verify the browser or user-facing behavior manually in a production-like flow and confirm there is no stronger conflicting security signal.
Use with AI
Copy these prompts to use with your AI assistant, or install the MCP server to use directly from Claude, Cursor, or Windsurf.
Check
Verify implementation
Test whether http://example.com redirects to https://example.com with a 301 status code. Check that the full URL path and query string are preserved in the redirect Location header.
Fix
Auto-fix issues
Configure the web server to redirect all HTTP requests to HTTPS with a 301 status code, preserving the full request path. Verify the redirect with curl -I http://example.com.
Explain
Learn more
Explain why redirecting HTTP to HTTPS is necessary, the difference between 301 and 302 redirects, and how HSTS can eliminate the redirect for returning users.
Review
Code review
Review server config, headers, forms, and integration points related to Redirect HTTP to HTTPS. Flag exact responses, cookies, or browser behaviors that violate the rule, and verify them against the effective production-like response.