How to redirect HTTP to HTTPS on IIS

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

The regular expression matching of an URL Rewrite rule makes a rewrite rule rather expensive, resource wise. I’ll provide an HTTP to HTTPS URL Rewrite example later in this post.

However, this httpRedirect should be a little bit more performing, even though it may not be really noticeable. Shaving off milliseconds from a request and redirect HTTP to HTTPS instead of rewriting gives you a tiny bit faster responding website.

The httpRedirect element configures settings for Internet Information Services (IIS) 7 that redirect client requests to a new location.

Looking to move WordPress to HTTPS? See this guide!

IIS httpRedirect HTTP to HTTPS #

Let’s say we want to redirect http://www.example.com and http://example.com to https://example.com. To httpRedirect a HTTP request to HTTPS, you can add the following to your website’s web.config file, in the <system.webServer> </system.webServer> node:

<httpRedirect enabled="true" 
	destination="https://example.com" 
	httpResponseStatus="Permanent"
/>

There are three important options configurable for the httpResponseStatus:

IIS httpRedirect httpResponseStatus

  • Found: Returns a 302 status code, which tells the client to issue a new request to the location specified in the destination attribute.
  • Permanent: Returns a 301 status code, which informs the client that the location for the requested resource has permanently changed.
  • Temporary: Returns a 307 status code, which prevents the client from losing data when the browser issues an HTTP POST request.

Note: you may have to set up a new IIS Web Site and directory for the SSL website, to avoid a redirection loop.

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite.

Preserve URL Path Information and Query String in httpRedirect #

With a httpRedirect, you can also preserve URL path information and URL query strings. Strangely enough, you need to set an exact destination for this:

exactDestination="true"

and you need to add $V$Q to the destination URL:

destination="https://example.com$V$Q"

This makes our complete httpRedirect element:

<httpRedirect enabled="true" 
	exactDestination="true" 
	destination="https://example.com$V$Q" 
	httpResponseStatus="Permanent"
/>

An URL with a query string, like http://www.example.com/page.php?foo=bar, is now redirected to https://example.com/page.php?foo=bar

How to disable the httpRedirect to HTTPS #

If you – for some reason – want to disable the httpRedirect temporarily, just set enabled to false:

<httpRedirect enabled="false" 
	destination="https://example.com" 
	httpResponseStatus="Permanent"
/>

Redirect HTTP to HTTPS Using IIS URL Rewrite #

Here you’ll find a ready to use IIS URL Rewrite rule for HTTP to HTTPS redirection. Depending on the particular situation, this solution might be preferred, and is easier to use than the aforementioned httpRedirect.

This may interest you:   add_rewrite_rule() accepts an array of query vars in WordPress 4.4

An easy to use IIS URL Rewrite rule #

A ready to use IIS URL Rewrite rule to redirect HTTP to HTTPS is:

<!-- follow me on Twitter: @HertogJanR, https://twitter.com/HertogJanR -->
<rule name="Redirect-HTTP-HTTPS-IIS">
	<match url="(.*)" />
	<conditions>
		<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
	</conditions>
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

If necessary, you can also add appendQueryString="true" to the action, to append the query string to the rewritten URL.

You have to place the code in the system.webServer node of your web.config file.

Test your site, it should now redirect from HTTP to HTTPS. If you receive a too many redirects in your browser, you may have to add your domain name as an input condition.

<!-- redirect HTTP naar HTTPS for WordPress https://www.saotn.org/ssl-wordpress-move-wordpress-site-https-definitive-guide/ -->
	<!-- see https://www.saotn.org/redirect-http-to-https-on-iis/
	        for more information -->
<rule name="example.com http to https" stopProcessing="true">
	<match url="(.*)" ignoreCase="true" />
	<conditions logicalGrouping="MatchAll">
		<add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" />
		<add input="{HTTPS}" pattern="off" />
		<add input="{URL}" pattern="(.*)" />
	</conditions>
	<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>

This rule also automatically adds the request_uri ({URL}) to the redirected HTTPS URL.

Rewrite multiple sub domains in one URL Rewrite rule #

To rewrite multiple sub domains in one single URL Rewrite rule you can use:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Rewrite multiple sub domains" stopProcessing="true">
						<match url=".*" ignoreCase="false" />
						<conditions trackAllCaptures="true">
							<add input="{HTTP_HOST}" pattern="^(?!www)([^.]+)\.(example\.com)$" />
							<add input="{URL}" pattern="(.+)" ignoreCase="false" />
						</conditions>
						<action type="Rewrite" url="/{C:1}" appendQueryString="true" />
					</rule>
				</rules>
		</rewrite>
	</system.webServer>
</configuration>

Add appendQueryString="true" to the action to append the query string in your HTTPS rewrite.

Important note on HTTP Redirections #

It is important to keep the following in mind for HTTP redirections:

Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request. Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, HSTS should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.

Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.

Basically, what this means is: Imagine you have www.example.com as your website. After setting up your SSL certificate, you have example.com and www.example.com available through HTTP, and example.com and www.example.com available through HTTPS.

This may interest you:   "The length of the URL for this request exceeds the configured maxUrlLength value"

Now if you want to set up proper HTTP to HTTPS redirects, you must follow the rule that sites that listen on port 80 should only redirect to the same resource on HTTPS.

Here is a schematic redirect path:

http://example.com > 301 > https://example.com
https://example.com > 301 > https://www.example.com
http://www.example.com > 301 > https://www.example.com

Show your support


If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!


About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Leave a Reply

9 Comments on "How to redirect HTTP to HTTPS on IIS"

avatar
  Subscribe  
newest oldest most voted
Notify of
Saeed Nemati
Guest

I get redirect loop from https to https from https to https with your HTTP redirect recipe. Any idea?

Shlomo Tommer
Guest

Thanks for a clear, up-to-date and precise knowhow article.

I used your “An easy to use IIS URL Rewrite rule #” technique on my WP website: articles.celebrities-galore.com

IIS 8.5 on Windows Server 2012 R2

I used this technique after trying to set HTTP Redirect on the IIS itself, which gives too many redirects in return.

I also tried a few WP plugins, but overhead is a bit to much to pay when your option does its job so well.

Scippy
Guest

Hi Jan, great post but I’ve an answer:
How I can redirect to https as describet below?
http://example.com > 301 > https://www.example.com
https://example.com > 301 > https://www.example.com
http://www.example.com > 301 > https://www.example.com
It is a little different to your example but I want work only on www. third level domain.
Thanks!

Mike
Guest

“redirected you too many times” still in place/