HTTPS Redirect Guide: How to Force HTTPS on Any Server

Why HTTPS Is Non-Negotiable

HTTPS is not optional. Browsers mark HTTP sites as "Not Secure." Google uses HTTPS as a ranking signal. Users see the padlock icon and trust your site. Without HTTPS, you lose rankings, trust, and conversions.

But enabling HTTPS is only half the job. You also need to redirect all HTTP traffic to HTTPS so that every visitor, every crawler, and every inbound link reaches the secure version of your site. A missing or misconfigured HTTPS redirect means some users still hit the insecure version, search engines index both versions, and your link equity splits between HTTP and HTTPS URLs.

This guide covers how to implement HTTPS redirects correctly on every major platform, and how to avoid the pitfalls that cause redirect loops, mixed content warnings, and SEO problems.

Before You Start: Prerequisites

HTTPS Redirects on Apache

Apache uses .htaccess files or the main server configuration for redirect rules.

Basic HTTP to HTTPS Redirect

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This checks if the connection is not HTTPS (%{HTTPS} off), and if so, redirects to the same URL with https://. The R=301 flag makes it a permanent redirect. The L flag stops processing further rules.

Combined www and HTTPS Redirect (Single Hop)

If you also want to redirect www to non-www (or vice versa), combine both into one rule to avoid a redirect chain:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]

This handles all four variations (http://www, http://non-www, https://www, http://non-www) in a single redirect to https://example.com.

Apache Behind a Load Balancer or Proxy

If your Apache server is behind a load balancer that terminates SSL, the %{HTTPS} variable will always be "off" because the connection from the load balancer to Apache is HTTP. Use the X-Forwarded-Proto header instead:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

HTTPS Redirects on Nginx

Nginx handles redirects in server blocks within the configuration file.

Basic HTTP to HTTPS Redirect

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

This creates a separate server block that listens on port 80 (HTTP) and redirects everything to HTTPS. Using return 301 is more efficient than using rewrite in Nginx.

Combined www and HTTPS Redirect

# Redirect www (both HTTP and HTTPS) to non-www HTTPS
server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    return 301 https://example.com$request_uri;
}

# Redirect HTTP non-www to HTTPS non-www
server {
    listen 80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}

# Main HTTPS server block
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Your site configuration here
}

Nginx Behind a Proxy

server {
    listen 80;
    server_name example.com;

    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }

    # Normal configuration
}

HTTPS Redirects with Cloudflare

Cloudflare sits between your visitors and your origin server, which adds a layer of complexity to HTTPS redirects.

Enable HTTPS Redirect in Cloudflare

1. Log into the Cloudflare dashboard
2. Select your domain
3. Go to SSL/TLS > Edge Certificates
4. Enable Always Use HTTPS

This tells Cloudflare to redirect all HTTP requests to HTTPS at the edge, before they even reach your server.

Set the Correct SSL Mode

This is critical and is the most common source of redirect loops with Cloudflare.

Remove Server-Level HTTPS Redirects (Optional)

Once Cloudflare's "Always Use HTTPS" is enabled, you can optionally remove the HTTPS redirect from your origin server. Cloudflare handles it at the edge, which is faster. However, keeping the origin redirect as a safety net is also valid in case Cloudflare is ever bypassed or disabled.

HTTPS Redirects in WordPress

WordPress has its own URL settings that interact with server-level redirects.

Step 1: Update WordPress URLs

1. Go to Settings > General
2. Change both WordPress Address (URL) and Site Address (URL) to use https://
3. Save

If you cannot access the admin panel (because of a redirect loop), edit wp-config.php:

define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');

Step 2: Add the Server-Level Redirect

Even after updating WordPress URLs, you still need a server-level redirect to handle direct HTTP requests. Use the Apache or Nginx rules above.

Step 3: Fix Internal Links

After switching to HTTPS, internal links and embedded resources may still reference HTTP URLs. Use a search-and-replace tool (like Better Search Replace plugin) to update all instances of http://example.com to https://example.com in the database.

WordPress Behind a Reverse Proxy

If WordPress is behind Cloudflare, a load balancer, or any proxy that terminates SSL, add this to wp-config.php:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
    $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

Without this, WordPress thinks every request is HTTP (because the proxy-to-server connection is HTTP) and creates a redirect loop.

Common HTTPS Migration Pitfalls

Mixed Content Warnings

After switching to HTTPS, if your pages still load resources (images, scripts, stylesheets, fonts) over HTTP, browsers will show a mixed content warning or block those resources entirely.

How to find mixed content:

• Check the browser console for mixed content warnings
• Use a crawler to scan all pages for HTTP resource references
• Search your database and template files for http:// references to your own domain

How to fix it:

• Update all internal resource URLs to HTTPS or use protocol-relative URLs (//example.com/image.png)
• Run a database search-and-replace for your domain from http:// to https://
• Check hardcoded URLs in theme files, widgets, and custom code

Redirect Loops

The most common HTTPS pitfall. Causes include:

• Cloudflare "Flexible SSL" combined with server-level HTTPS redirect
• WordPress WP_HOME/WP_SITEURL set to HTTP while a redirect forces HTTPS
• Both a CDN and the origin server enforcing HTTPS redirects that conflict
• A caching plugin serving a cached redirect response

See the fix-err-too-many-redirects guide for detailed solutions to each of these scenarios.

Forgetting Subdomains

Your main domain may be on HTTPS, but what about blog.example.com, shop.example.com, cdn.example.com, and mail.example.com? Each subdomain needs its own SSL certificate (or a wildcard certificate) and its own HTTPS redirect.

Not Updating External References

After migrating to HTTPS, update your URL everywhere it appears externally:

• Google Search Console (add the HTTPS property)
• Google Business Profile
• Social media profiles
• Email signatures
• Third-party directory listings
• API integrations that use your URL

HSTS (HTTP Strict Transport Security)

After confirming HTTPS works correctly, add an HSTS header to tell browsers to always use HTTPS for your domain. This eliminates the initial HTTP request entirely for returning visitors.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Monitoring HTTPS Status

HTTPS is not a one-time setup. Certificates expire, configurations change, and dependencies can introduce mixed content. Ongoing monitoring catches problems before they reach visitors.

HTTPS Redirect Verification Checklist

After implementing your HTTPS redirect, verify all of these:

A correct HTTPS redirect is a single 301 hop from HTTP to HTTPS that works for every domain variation, does not create loops with your CDN or proxy, and covers every subdomain serving your content.