How to redirect HTTP to HTTPS on IIS

Sharing is caring!

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

The regular expression matching of an URL Rewrite rule makes a rewrite rule rather expensive, resource wise. I’ll provide an HTTP to HTTPS URL Rewrite example later in this post.

However, this httpRedirect should be a little bit more performing, even though it may not be really noticeable. Shaving off milliseconds from a request and redirect HTTP to HTTPS instead of rewriting gives you a tiny bit faster responding website.

The httpRedirect element configures settings for Internet Information Services (IIS) 7 that redirect client requests to a new location.

Looking to move WordPress to HTTPS? See this guide!

IIS httpRedirect HTTP to HTTPS

Let’s say we want to redirect http://www.example.com and http://example.com to https://example.com. To httpRedirect a HTTP request to HTTPS, you can add the following to your website’s web.config file, in the <system.webServer> </system.webServer> node:

<httpRedirect enabled="true" 

There are three important options configurable for the httpResponseStatus:

IIS httpRedirect httpResponseStatus

  • Found: Returns a 302 status code, which tells the client to issue a new request to the location specified in the destination attribute.
  • Permanent: Returns a 301 status code, which informs the client that the location for the requested resource has permanently changed.
  • Temporary: Returns a 307 status code, which prevents the client from losing data when the browser issues an HTTP POST request.

Note: you may have to set up a new IIS Web Site and directory for the SSL website, to avoid a redirection loop.

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite.

Preserve URL Path Information and Query String in httpRedirect

With a httpRedirect, you can also preserve URL path information and URL query strings. Strangely enough, you need to set an exact destination for this:


and you need to add $V$Q to the destination URL:


This makes our complete httpRedirect element:

<httpRedirect enabled="true" 

An URL with a query string, like http://www.example.com/page.php?foo=bar, is now redirected to https://example.com/page.php?foo=bar

How to disable the httpRedirect to HTTPS

If you – for some reason – want to disable the httpRedirect temporarily, just set enabled to false:

<httpRedirect enabled="false" 

Redirect HTTP to HTTPS Using IIS URL Rewrite

Here you’ll find a ready to use IIS URL Rewrite rule for HTTP to HTTPS redirection. Depending on the particular situation, this solution might be preferred, and is easier to use than the aforementioned httpRedirect.

This may interest you:   IIS URL Rewrite "Rewrite error: Expression contains a repeat expression"

An easy to use IIS URL Rewrite rule

A ready to use IIS URL Rewrite rule to redirect HTTP to HTTPS is:

<!-- follow me on Twitter: @HertogJanR, https://twitter.com/HertogJanR -->
<rule name="Redirect-HTTP-HTTPS-IIS">
	<match url="(.*)" />
		<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />

If necessary, you can also add appendQueryString="true" to the action, to append the query string to the rewritten URL.

You have to place the code in the system.webServer node of your web.config file.

Test your site, it should now redirect from HTTP to HTTPS. If you receive a too many redirects in your browser, you may have to add your domain name as an input condition.

<!-- redirect HTTP naar HTTPS for WordPress https://www.saotn.org/ssl-wordpress-move-wordpress-site-https-definitive-guide/ -->
	<!-- see https://www.saotn.org/redirect-http-to-https-on-iis/
	        for more information -->
<rule name="example.com http to https" stopProcessing="true">
	<match url="(.*)" ignoreCase="true" />
	<conditions logicalGrouping="MatchAll">
		<add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" />
		<add input="{HTTPS}" pattern="off" />
		<add input="{URL}" pattern="(.*)" />
	<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />

This rule also automatically adds the request_uri ({URL}) to the redirected HTTPS URL.

Rewrite multiple sub domains in one URL Rewrite rule

To rewrite multiple sub domains in one single URL Rewrite rule you can use:

<?xml version="1.0" encoding="UTF-8"?>
				<rule name="Rewrite multiple sub domains" stopProcessing="true">
						<match url=".*" ignoreCase="false" />
						<conditions trackAllCaptures="true">
							<add input="{HTTP_HOST}" pattern="^(?!www)([^.]+)\.(example\.com)$" />
							<add input="{URL}" pattern="(.+)" ignoreCase="false" />
						<action type="Rewrite" url="/{C:1}" appendQueryString="true" />

Add appendQueryString="true" to the action to append the query string in your HTTPS rewrite.

Important note on HTTP Redirections

It is important to keep the following in mind for HTTP redirections:

Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request. Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, HSTS should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.

Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.

Basically, what this means is: Imagine you have www.example.com as your website. After setting up your SSL certificate, you have example.com and www.example.com available through HTTP, and example.com and www.example.com available through HTTPS.

This may interest you:   How to: Protect WordPress from brute-force XML-RPC attacks

Now if you want to set up proper HTTP to HTTPS redirects, you must follow the rule that sites that listen on port 80 should only redirect to the same resource on HTTPS.

Here is a schematic redirect path:

http://example.com > 301 > https://example.com
https://example.com > 301 > https://www.example.com
http://www.example.com > 301 > https://www.example.com


  1. Thanks for a clear, up-to-date and precise knowhow article.

    I used your “An easy to use IIS URL Rewrite rule #” technique on my WP website: articles.celebrities-galore.com

    IIS 8.5 on Windows Server 2012 R2

    I used this technique after trying to set HTTP Redirect on the IIS itself, which gives too many redirects in return.

    I also tried a few WP plugins, but overhead is a bit to much to pay when your option does its job so well.

  2. Saeed Nemati says:

    I get redirect loop from https to https from https to https with your HTTP redirect recipe. Any idea?

    1. Jan Reilink ( User Karma: 0 ) says:

      Hi Saeed, thank you for your comment and I’m sorry to hear it gives you a redirect loop. Are you trying to use the “httpRedirect” recipe, or a rewrite?

      1. Alex says:

        Thank you for this! It didn’t exactly meet my need, but it gave me a good starting point. You might want to consider adding this to your tutorial as a edge case example. My goal was just to change HTTP to HTTPS on the main page default landing, and then after the redirect, all relative URLs would be HTTPS. So, if a person went into the site, they could do HTTP, but in the beginning of the site, it would always redirect to HTTPS and all relative urls would also then use HTTPS.

        Case use: you just decided to make everything HTTPS for SEO. But you have lots of microsite folders that use absolute urls using HTTP and you don’t want warn warning messages of mixed content. So, on the main default page of the main site, you can do this, and then as you update each microsite (folders within the main site, where main site is: / and /default.asp, the microsites are /microsite1/default.asp, etc…) you can add rules for those, and when completed, you can do what you wrote originally.

        (you want to match an empty string in the url, you don’t want anything in the url, just the http host value as is the condition to check for below)


Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.