Is Your Site Redirecting HTTP to HTTPS? Here's How to Check
You've installed an SSL certificate, great. But is traffic automatically being sent to the secure HTTPS version of your site? A common oversight is having the certificate in place but failing to enforce the redirect from HTTP. This leaves visitors hitting the insecure version of your domain, which is bad for SEO, user trust, and data security. Let's cover how to check this and fix it.
Checking with curl
The command-line tool curl is your friend here. It allows us to make raw HTTP requests and inspect the responses. We're looking for a 301 Moved Permanently or 302 Found redirect status code.
To test the HTTP to HTTPS redirect, open your terminal and run:
curl -I http://yourdomain.com
Replace yourdomain.com with your actual domain. The -I flag tells curl to fetch only the headers, not the body of the response.
In the output, you'll want to see something like this:
HTTP/1.1 301 Moved Permanently
Location: https://yourdomain.com/
... other headers ...
If you see HTTP/1.1 200 OK, it means your site is responding to the HTTP request directly without a redirect.
Also, test both www and non-www versions of your domain, for example:
curl -I http://www.yourdomain.com
Implementing Redirects
The method for setting up the redirect depends on your server environment or hosting provider.
Apache .htaccess
For most shared hosting or VPS setups running Apache, you'll add rules to your .htaccess file, typically located in the public root directory of your website.
To redirect all HTTP traffic to HTTPS, add the following lines to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This configuration checks if the request is not already using HTTPS. If it's not, it issues a 301 redirect to the same host and URI, but with the https:// protocol. The [L] flag ensures this is the last rule processed.
Nginx
If you're using Nginx, you'll modify your server block configuration. Locate the server block that handles your HTTP traffic (usually port 80) and add a redirect.
Here's a common Nginx configuration for redirecting HTTP to HTTPS:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # Example path
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # Example path
# ... other SSL configuration and your site's root directives ...
}
The first server block listens on port 80, matches your domain names, and redirects all requests to the HTTPS version using a 301 status code.
Cloudflare
If you use Cloudflare, it simplifies this process significantly. Cloudflare has a dedicated SSL/TLS setting called "Always Use HTTPS".
- Log in to your Cloudflare dashboard.
- Select your website.
- Navigate to the "SSL/TLS" section.
- Under "Edge Certificates," find "Always Use HTTPS" and toggle it to "On."
This setting tells Cloudflare to automatically issue 301 redirects for any requests that come in over HTTP to the equivalent HTTPS URL.
Common Pitfalls
Redirect Loops: This is a common headache. It happens when multiple redirects are configured and they send traffic back and forth. For instance, if your server is configured to redirect HTTP to HTTPS, and then Cloudflare is also set to "Always Use HTTPS," you might encounter a loop. Ensure only one mechanism is actively forcing the HTTPS redirect. Check your .htaccess, Nginx config, and Cloudflare settings carefully. If you use a WordPress plugin for SSL, make sure it's not conflicting with server-level redirects.
Mixed www and Non-www: Decide whether you want your primary domain to be www.yourdomain.com or yourdomain.com and stick to it. All your redirects should enforce this canonical version. For example, if your preferred version is www.yourdomain.com, your HTTP to HTTPS redirect should point to https://www.yourdomain.com, and you should also have a separate redirect for https://yourdomain.com to https://www.yourdomain.com (and vice versa if yourdomain.com is preferred).
Your .htaccess file can handle this by adding rules for the non-preferred version:
# Redirect non-www to www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [L,R=301]
# Then redirect HTTP to HTTPS for both
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The order here is important. You generally want to resolve the www preference first, then enforce HTTPS.
SiteVett can automatically check this for you as part of a free website QA scan.
Top comments (0)