CAREERS

Security First:
How to Force HTTP to HTTPS

Because insecure websites are so last decade.

If your website still isn’t automatically redirecting to HTTPS… yikes!. But no worries, we can help you out with some sage and simple how-tos.

To be clear, in 2025, HTTPS is no longer a “nice-to-have.” It’s a requirement. Whether you’re running an e-commerce shop, collecting form data, or just want Google to stop giving you the evil side-eye, a valid SSL certificate and proper HTTPS redirects are non-negotiable.

Let’s talk about how to force HTTP to HTTPS. We’ll start with Apache and .htaccess (still very much alive), and then add some pro tips for Nginx, popular frameworks, and hosting platforms. Ready? Set. Go!

how to change http to httpsWhy Force HTTP to HTTPS?

A quick refresher:

  1. Security: SSL encrypts data in transit. No one wants their login info or credit card details floating around in plain text.
  2. SEO: Google rewards secure sites with better rankings. If you’re still on HTTP, you’re getting outranked by your more security-savvy competitors.
  3. Trust: Users expect that little padlock icon. No padlock = red flags = lost revenue.
  4. Browsers: Modern browsers now warn users (sometimes aggressively) when they land on non-secure pages. You really don’t want to be that site.

Forcing HTTPS with Apache (.htaccess)

If your site is running on Apache, you can force HTTPS using the .htaccess file and Apache’s mod_rewrite module.

1. Redirect All Traffic to HTTPS for a Domain

Here’s how to make sure all requests are sent to the HTTPS version of your site:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]

What’s happening here:

  • RewriteEngine On: Enables the rewrite module.
  • RewriteCond %{HTTPS} off: Checks if HTTPS is not already being used.
  • RewriteRule: Redirects the request to the secure version using a 301 (permanent) redirect.
💡 Pro Tip:
Use R=301 for production. It tells browsers and search engines that this redirect is permanent. Use R=302 temporarily if you’re testing.

2. Redirect Only a Specific Folder to HTTPS

If you’re only securing a portion of your site (e.g., a /checkout folder), drop this into the .htaccess file inside that folder:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://www.yourdomain.com/checkout/$1 [R=301,L]

This forces HTTPS for that folder only.

Using Nginx Instead?

If you’re running on Nginx (common with VPS or cloud hosting), here’s how to redirect HTTP to HTTPS in your server config:

server {

    listen 80;

    server_name yourdomain.com www.yourdomain.com;

    return 301 https://$host$request_uri;

}

 

This catches all port 80 (HTTP) traffic and sends it to HTTPS. Easy and efficient.

On WordPress? There’s a Plugin for That.

If your site runs on WordPress and you’re not comfortable editing server files directly, plugins like Really Simple SSL can take care of everything for you. Just make sure you’ve installed your SSL certificate first.

Not sure how to do that? Here’s the quick version:

  • Log in to your web hosting account.
  • Look for a section called SSL, Security, or Certificates. (Most hosting providers make it pretty easy to find.)
  • Many hosts offer free SSL certificates via Let’s Encrypt, which can usually be activated with just a few clicks.
  • If you purchased an SSL certificate separately, your host should have instructions for installing it. (Or just contact their support—they’ll walk you through it.)
  • Once installed, your site will be accessible at https://yourdomain.com—but you’ll still need to redirect traffic there.

Using a CMS or Framework (Drupal, Laravel, etc.)?

Most modern platforms have HTTPS redirection baked in or available via middleware. Here’s what to look for:

  • Laravel: Use middleware like \App\Http\Middleware\RedirectToHttps.
  • Next.js / React: Redirects can often be handled in next.config.js or your hosting platform.
  • Drupal: Use the Redirect or Secure Login module, or update .htaccess.
  • Hosting on Vercel, Netlify, or Cloudflare? Many of them have built-in HTTPS redirection toggles. Just flip the switch.

Final Notes on Changing HTTP to HTTPS

After you implement redirects:

  • Clear your browser cache.
  • Test in both HTTP and HTTPS versions.
  • Make sure there are no redirect loops (we’ve all been there).
  • Use tools like SSL Labs to verify your certificate and setup.

Your HTTPS (and Development) Pros

If your site has an SSL certificate (and it should), don’t leave the redirect to chance. Force HTTP to HTTPS using .htaccess, Nginx, or your CMS. It’s better for your users, your SEO, and your peace of mind.

And if you’d rather not deal with any of this yourself, don’t leave the success of your website to chance. Contact the Ironistic team. We know the ropes, and we’ve got your back — securely.

Secure My Site

Comments

There are currently one response.

Viktor
October 5, 2018

Cannot work in Nginx site… why don’t you use Force ssl plugins?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 2 =

Explore Categories

#IronInsights

Design

Development

Marketing

Media Mentions

Press Releases

Random

Security

Strategy

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Would You Like to Join Our Mailing List?

Pro tips sent to your inbox!

Name*
By submitting this form you agree to the terms of use and privacy policy of the website.
Yes, make me smarter!*

gFORCE PLUGIN

Seamlessly integrate Greenhouse.io with your WordPress website.

Learn More

Related Insights

Request A Quote

Let's take your business to the next level. Fill out the form below to get started!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*
Sign me up for IronMail