How to Redirect HTTP to HTTPS
What is this?
An HTTPS redirect ensures that visitors who type your domain without https:// (or follow old HTTP links) are automatically sent to the secure version of your site. Without it, some visitors may access your site over an unencrypted connection.
Why it matters
- Security: Prevents man-in-the-middle attacks on unencrypted connections
- SEO: Google considers HTTPS a ranking signal and may penalize HTTP-only sites
- Trust: Browsers show a "Not Secure" warning for HTTP pages
How to fix it
Nginx
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Apache
Add to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Caddy
Caddy automatically redirects HTTP to HTTPS by default. No configuration needed.
Cloudflare
- Go to SSL/TLS > Edge Certificates
- Enable Always Use HTTPS
WordPress
Install and activate the Really Simple SSL plugin, or add to wp-config.php:
define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
Common mistakes
- Using a 302 (temporary) redirect instead of 301 (permanent). Search engines treat these differently for SEO.
- Redirecting to HTTPS but having mixed content (HTTP resources on an HTTPS page). Check your browser console for mixed content warnings.
- Creating redirect loops when behind a reverse proxy or CDN. Check the
X-Forwarded-Protoheader.
Test your fix
After configuring the redirect, audit your site on BeaverCheck to verify HTTPS is properly enforced.