How to Redirect HTTP to HTTPS (2026 Guide)
Hi, I'm Saar - a software engineer, SEO specialist, and lecturer who loves building tools and teaching tech.
View author profile →What Is an HTTP-to-HTTPS Redirect?
An HTTP-to-HTTPS redirect is a server response that tells the browser the requested resource has permanently moved to the HTTPS version of the same URL. The standard implementation is a 301 (Moved Permanently) status code with a Location header pointing to https://. After serving HTTPS, you add the Strict-Transport-Security (HSTS) header so browsers stop attempting plain HTTP altogether.
This is the complement to enabling HTTPS — see why your website must use HTTPS. Without redirects, search engines index two versions of your site, users on old links transmit data in the clear, and you remain exposed to SSL-stripping attacks.
Key Facts (TL;DR)
- Status code: Use 301 (permanent), not 302. 301 transfers PageRank/authority and is cached by browsers.
- Where to redirect: At the edge (CDN) or server level — never in JavaScript.
- HSTS: After redirect, send
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. - SSL stripping: A 301 alone protects only after the first visit. HSTS preloading (hstspreload.org) closes the first-visit gap.
- No chains: Redirect
http://example.com/pagedirectly tohttps://example.com/page, not viahttp://www.example.com. - All variants: Cover apex, www, every subdomain, and trailing-slash variants.
Redirect Snippets by Server / Platform
| Platform | Where | Method |
|---|---|---|
| Apache | .htaccess or vhost | mod_rewrite or Redirect |
| Nginx | server block | return 301 |
| IIS (Windows) | web.config | URL Rewrite module |
| Next.js | next.config.js | redirects() |
| Edge runtime / managed host | Automatic | Built-in HTTPS enforcement |
| CDN dashboard | Edge setting | SSL/TLS → Always Use HTTPS |
| CDN distribution | Distribution behavior | Viewer Protocol Policy |
Apache (.htaccess)
# .htaccess — redirect all HTTP to HTTPS, preserve path and query
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Add HSTS on the HTTPS response
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>Nginx
# Catch all HTTP traffic and 301 to HTTPS
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# ... ssl_certificate, ssl_certificate_key ...
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}IIS (web.config)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>Next.js (next.config.js)
Hosted on a managed edge runtime? HTTPS redirects happen automatically — you do not need this. For self-hosted Next.js behind a reverse proxy without HTTPS handling, use the headers() hook to add HSTS and let the upstream server do the 301.
// next.config.js — add HSTS to every response
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: [
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload',
},
],
},
];
},
};CDN / Edge
Easiest path. In your CDN dashboard, find the SSL/TLS or edge-certificates section and toggle Always Use HTTPS on. The CDN will issue a 301 at the edge for any HTTP request before it reaches your origin. Enable HSTS in the same screen and tick Include subdomains + Preload once you have verified everything works.
HSTS and the Preload List
A 301 redirect alone leaves a window: an attacker on the network can intercept the very first plain-HTTP request and serve a fake response. HSTS instructs the browser to refuse plain HTTP for a domain for the duration of max-age. Adding the preload directive and submitting to hstspreload.org bakes your domain into Chrome, Firefox, Safari, and Edge source code so the first visit is also protected.
Requirements for preloading: serve a valid HTTPS cert, redirect HTTP to HTTPS on the same host, send HSTS with max-age at least 31536000 (1 year), includeSubDomains, and preload.
The 5 Mistakes That Break HTTP-to-HTTPS Redirects
1. Using 302 instead of 301
# Bad — 302 is temporary; search engines may keep indexing HTTP
return 302 https://$host$request_uri;
# Good — 301 is permanent
return 301 https://$host$request_uri;2. Redirect chains (HTTP → HTTP-www → HTTPS-www)
Each hop adds latency and dilutes link equity. Redirect once, directly to the final URL.
3. JavaScript-based redirects
window.location = 'https://...' runs only after the insecure page has already loaded — too late. Always redirect at the server or edge.
4. Forgetting subdomains
Redirecting example.com but not blog.example.com leaves part of the site insecure. Cover every subdomain you serve.
5. HSTS without testing first
Once a browser sees HSTS with a long max-age, it refuses HTTP for that period. If your HTTPS breaks, users are locked out. Start with max-age=300, verify, then raise to a year and add preload.
How to Test Your Redirects
- curl -I http://example.com — confirms the response is
301 Moved Permanentlywith aLocation: https://...header. - httpstatus.io — visualizes the full redirect chain so you can spot extra hops.
- Chrome DevTools → Network — refresh with cache disabled; the first request should be 301 and the second 200 over HTTPS.
- SSL Labs — confirms HSTS is set and configured to preload-ready values.
- hstspreload.org — validates your domain is eligible for the preload list.
FAQ
Why 301 instead of 302?
301 (permanent) transfers SEO authority and is cached aggressively by browsers. 302 (temporary) tells search engines to keep indexing the original URL.
Do I need to update internal links to HTTPS too?
Yes. Redirects work, but every internal link that still points at HTTP costs a redirect hop. Search-and-replace the database/codebase to use absolute HTTPS URLs or protocol-relative paths.
Will my SEO drop after switching to HTTPS?
Done correctly with 301s, the change is transparent. Submit the new HTTPS property in Google Search Console and update the canonical URLs.
Is a CDN's "Always Use HTTPS" toggle enough?
Yes for the redirect. You should still set HSTS on the origin so the policy persists if the CDN is ever bypassed.
Does this affect AI search engines like ChatGPT and Perplexity?
Yes — directly. AI crawlers (GPTBot, ChatGPT-User, PerplexityBot, ClaudeBot) treat insecure HTTP responses with caution and frequently skip them in favor of HTTPS sources. If your HTTP-to-HTTPS redirect is broken or returns mixed-protocol content, AI Overviews and chat assistants are far less likely to cite your pages, since the citation chain has to be reliable end-to-end. A clean 301 plus HSTS gives AI crawlers a single canonical HTTPS URL to fetch, index, and quote.
What is SSL stripping?
An attacker on the same network intercepts a victim's plain-HTTP request and proxies it to your HTTPS site, while serving the victim a forged HTTP page. HSTS preload eliminates this attack.
Should I redirect www to apex or apex to www?
Either is fine — pick one and be consistent. Make sure both are covered by your certificate so a misdirected user does not hit a cert warning.
Conclusion
A correct HTTP-to-HTTPS migration is three things: a 301 redirect at the server or edge, an HSTS header with a long max-age, and submission to the preload list. With those in place, every visitor — including the ones following five-year-old links — reaches your site over an authenticated, encrypted connection. Run a Greadme deep scan to verify your HTTPS redirect works on every URL across your site and to catch any pages still serving plain HTTP.