Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

How to redirect HTTP to HTTPS on IIS

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

The regular expression matching of an URL Rewrite rule makes a rewrite rule rather expensive, resource wise. I’ll provide an HTTP to HTTPS URL Rewrite example later in this post.

However, this httpRedirect should be a little bit more performing, even though it may not be really noticeable. Shaving off milliseconds from a request and redirect HTTP to HTTPS instead of rewriting gives you a tiny bit faster responding website.

The httpRedirect element configures settings for Internet Information Services (IIS) 7 that redirect client requests to a new location.

SSL in WordPress?

Looking to move WordPress to HTTPS? See this guide!

IIS httpRedirect HTTP to HTTPS

Let’s say we want to redirect and to To httpRedirect a HTTP request to HTTPS, you can add the following to your website’s web.config file, in the <system.webServer> </system.webServer> node:

<httpRedirect enabled="true" 

There are three important options configurable for the httpResponseStatus:

IIS httpRedirect httpResponseStatus

  • Found: Returns a 302 status code, which tells the client to issue a new request to the location specified in the destination attribute.
  • Permanent: Returns a 301 status code, which informs the client that the location for the requested resource has permanently changed.
  • Temporary: Returns a 307 status code, which prevents the client from losing data when the browser issues an HTTP POST request.

Note: you may have to set up a new IIS Web Site and directory for the SSL website, to avoid a redirection loop.

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite.

Preserve URL Path Information and Query String in httpRedirect

Using a httpRedirect, you can preserve URL path information and URL query strings. Strangely enough, you need to set an exact destination for this:


and you need to add $V$Q to the destination URL:


This makes our complete httpRedirect element:

<httpRedirect enabled="true" 

An URL with a query string, like, is now redirected to

How to disable the httpRedirect to HTTPS

If you – for some reason – want to disable the httpRedirect temporarily, just set enabled to false:

<httpRedirect enabled="false" 

Using Apache web server?

Are you using Apache as your web server software? See how to redirect HTTP to HTTPS in Apache using a VirtualHosts configuration in Apache 2.4+.

Redirect HTTP to HTTPS Using IIS URL Rewrite

Here you’ll find a ready to use IIS URL Rewrite rule for HTTP to HTTPS redirection. Depending on the particular situation, this solution might be preferred, and is easier to use than the aforementioned httpRedirect.

An easy to use IIS URL Rewrite rule

A ready to use IIS URL Rewrite rule to redirect HTTP to HTTPS is:

  follow me on Twitter: @HertogJanR
<rule name="Redirect-HTTP-HTTPS-IIS">
	<match url="(.*)" />
		<add input="{HTTPS}" pattern="^OFF" ignoreCase="true" />
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />

If necessary, you can also add appendQueryString="true" to the action, to append the query string to the rewritten URL.

You have to place the code in the system.webServer node of your web.config file.

Test your site, it should now redirect from HTTP to HTTPS. If you receive a too many redirects in your browser, you may have to add your domain name as an input condition.

	Redirect HTTP naar HTTPS for WordPress:
<rule name=" http to https" stopProcessing="true">
	<match url="(.*)" ignoreCase="true" />
	<conditions logicalGrouping="MatchAll">
		<add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" />
		<add input="{HTTPS}" pattern="off" />
		<add input="{URL}" pattern="(.*)" />
	<action type="Redirect" url="{R:1}" redirectType="Permanent" />

This rule also automatically adds the request_uri ({URL}) to the redirected HTTPS URL.

Rewrite multiple sub domains in one URL Rewrite rule

To rewrite multiple sub domains in one single URL Rewrite rule you can use:

<?xml version="1.0" encoding="UTF-8"?>
				<rule name="Rewrite multiple sub domains" stopProcessing="true">
					<match url=".*" ignoreCase="false" />
					<conditions trackAllCaptures="true">
						<add input="{HTTP_HOST}" pattern="^(?!www)([^.]+)\.(example\.com)" />
						<add input="{URL}" pattern="(.+)" ignoreCase="false" />
					<action type="Rewrite" url="/{C:1}" appendQueryString="true" />

Add appendQueryString="true" to the action to append the query string in your HTTPS rewrite.

Important note on HTTP Redirections

It is important to keep the following in mind for HTTP redirections:

Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request. Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, HSTS should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.

Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.

Basically, what this means is: Imagine you have as your website. After setting up your SSL certificate, you have and available through HTTP, and and available through HTTPS.

Now if you want to set up proper HTTP to HTTPS redirects, you must follow the rule that sites that listen on port 80 should only redirect to the same resource on HTTPS.

Here is a schematic redirect path: > 301 > > 301 > > 301 >

Want to say thanks?

If I’ve helped you out and you want to thank me, why not buy me a coffee?

If I’ve helped you out and you want to thank me, why not buy me a coffee?

Thank you for your support. ♥


An example of evolving obfuscation


PHP, MySQL and IPv6: still slow


  1. Mike

    “redirected you too many times” still in place/

  2. Scippy

    Hi Jan, great post but I’ve an answer:
    How I can redirect to https as describet below? > 301 > > 301 > > 301 >
    It is a little different to your example but I want work only on www. third level domain.

  3. Thanks for a clear, up-to-date and precise knowhow article.

    I used your “An easy to use IIS URL Rewrite rule #” technique on my WP website:

    IIS 8.5 on Windows Server 2012 R2

    I used this technique after trying to set HTTP Redirect on the IIS itself, which gives too many redirects in return.

    I also tried a few WP plugins, but overhead is a bit to much to pay when your option does its job so well.

  4. Saeed Nemati

    I get redirect loop from https to https from https to https with your HTTP redirect recipe. Any idea?

    • Hi Saeed, thank you for your comment and I’m sorry to hear it gives you a redirect loop. Are you trying to use the “httpRedirect” recipe, or a rewrite?

      • Alex

        Thank you for this! It didn’t exactly meet my need, but it gave me a good starting point. You might want to consider adding this to your tutorial as a edge case example. My goal was just to change HTTP to HTTPS on the main page default landing, and then after the redirect, all relative URLs would be HTTPS. So, if a person went into the site, they could do HTTP, but in the beginning of the site, it would always redirect to HTTPS and all relative urls would also then use HTTPS.

        Case use: you just decided to make everything HTTPS for SEO. But you have lots of microsite folders that use absolute urls using HTTP and you don’t want warn warning messages of mixed content. So, on the main default page of the main site, you can do this, and then as you update each microsite (folders within the main site, where main site is: / and /default.asp, the microsites are /microsite1/default.asp, etc…) you can add rules for those, and when completed, you can do what you wrote originally.

        (you want to match an empty string in the url, you don’t want anything in the url, just the http host value as is the condition to check for below)

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress & Theme by Anders Norén

19 queries, 0.433 seconds running PHP version 7.3.0