To force all HTTP requests to redirect to HTTPS, add a server rewrite rule that checks whether the connection is secure and issues a 301 permanent redirect when it is not. The configurations below achieve this on both IIS and Apache while preserving the original URL path and query string. They also include an exclusion for the .well-known directory used by ACME certificate validation services such as Let's Encrypt.
Every site using an SSL certificate should enforce this behavior. Without it, visitors can still reach the insecure HTTP version, analytics data becomes fragmented, and search engines may not treat the HTTPS version as canonical.
#Why Enforce HTTPS Redirects
HTTPS encrypts all data between the browser and server, preventing interception and tampering. A server-enforced redirect ensures every visitor uses the encrypted channel. It also consolidates SEO signals to a single secure URL, avoids duplicate-content penalties, and satisfies browser security indicators that mark plain HTTP sites as unsafe.
#Prerequisites
- A valid SSL/TLS certificate installed and bound to your domain
- Access to edit files in the website root directory
- URL Rewrite module enabled for IIS web.config rules
- mod_rewrite available for Apache or Helicon Ape .htaccess files
#IIS Configuration with URL Rewrite
Edit or create web.config in the site root. Insert the rewrite rules inside the system.webServer element. The first rule bypasses redirection for Let's Encrypt validation requests. The second rule matches all other HTTP traffic and redirects permanently to the HTTPS equivalent.
<rewrite>
<rules>
<rule name="ACME / Let's Encrypt Verification" stopProcessing="true">
<match url="^\.well-known(.*)" />
<action type="None" />
</rule>
<rule name="HTTP to HTTPS Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>The stopProcessing attribute prevents further rules from firing after a match. The {R:1} backreference captures the original path so it is appended correctly to the HTTPS URL.
#Helicon Ape .htaccess on IIS
When using Helicon Ape for Apache-compatible behavior on IIS, add the following lines to the .htaccess file in your wwwroot directory. Place them immediately after the RewriteEngine On directive.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}#Apache .htaccess Configuration
On Apache servers the syntax is identical. Add the same directives to the site's root .htaccess file directly under RewriteEngine On. Ensure the mod_rewrite module is loaded in the server configuration.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}#Testing and Common Pitfalls
Clear browser cache then request the HTTP version of any page. Confirm the browser lands on the HTTPS URL and that developer tools show a 301 status. Test certificate renewal paths under /.well-known/acme-challenge to verify the exclusion works.
- Conflicting redirect logic inside application code or CMS plugins can create loops; review those after server rules are in place
- Mixed-content warnings occur when page resources still reference HTTP URLs; update them to protocol-relative or full HTTPS links
After deployment, monitor access logs for repeated redirect errors and adjust conditions if your environment uses a proxy that requires checking HTTP_X_FORWARDED_PROTO. This single change provides immediate security and SEO benefits across all site traffic.
Comments
No comments yet