Buy from the highest-rated provider   Buy SSL.com Certificate x

IIS7 Redirect HTTP to HTTPS

Compare SSL Certificates

Redirecting all traffic from HTTP to HTTPS in IIS7 will make sure your users always access the site securely. There are many different ways to set up an IIS7 Redirect from HTTP to HTTPS and some are better than others. The ideal HTTP to HTTPS redirect would do the following:

  • Gently redirect users to HTTPS so users don’t have to type in “https” in the URL
  • Redirect users to the specific page that they were going to go to on HTTP (page.htm)
  • Save any variables passed in the query string (?page=2)
  • Work in all browsers
  • Transfer PageRank to the redirected page by using a 301 redirect, maintaining SEO
  • Allow specific parts of a site to force SSL but allow HTTP on other parts of the site
  • Redirect users from mydomain.com to www.mydomain.com

Unfortunately, there isn’t an easy way to satisfy all of these requirements, and most methods only satisfy a few of them. The best method of doing an HTTP to HTTPS redirect I’ve seen involves using ASP.Net to do the HTTP to HTTPS redirection.

But most people don’t need all of those features, so I have listed two of the best methods of redirecting HTTP to HTTPS in IIS 7. They are easy to set up and effective in most situations. Note that these methods should also work in IIS 8 and IIS 10 with some small modifications.

Method 1 – Using Microsoft URL Rewrite Module

For this method of redirecting from HTTP to HTTPS, you will need to do the following;

  1. Install the Microsoft URL Rewrite Module
  2. Install your SSL certificate in IIS 7 and bind it to your website
  3. Make sure Require SSL is NOT checked under SSL Settings for your website (uncheck the boxes that are checked in this screenshot)

  4. Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.

    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
    </rule>

  5. Test the site by going to http://www.yoursite.com and making sure it redirects

Method 2 – Setting up a Custom Error Page

The second method of setting up an IIS7 redirect HTTP to HTTPS is to Require SSL on the site or part of the site and set up a custom 403.4 error page. To do this, just following these steps:

  1. Install your SSL certificate in IIS 7 and bind it to your website
  2. In IIS, click on the site name, and go to the SSL Settings section

  3. Check Require SSL and Require 128-bit SSL and click Apply

  4. After doing this, users will normally receive this error:

  5. Create a new text file and paste the following into it:

    <html>
    <head><title>Redirecting...</title></head>
    <script language="JavaScript">
    function redirectHttpToHttps()
    {
        var httpURL= window.location.hostname + window.location.pathname + window.location.search;
        var httpsURL= "https://" + httpURL;
        window.location = httpsURL;
    }
    redirectHttpToHttps();
    </script>
    <body>
    </body>
    </html>

  6. Save the file as redirectToHttps.htm in your C:\Inetpub directory
  7. Back in IIS, click on the site name and double-click the Error Pages option

  8. Click Add… and enter 403.4 as the Status code. Browse for the redirectToHttps.htm file you just created and click OK


  9. Select the error code and press Edit Feature Settings…

  10. Click the Custom error pages option and again browse for the redirectToHttps.htm file

  11. Test the site by going to http://www.yoursite.com and making sure it redirects

A caveat of using a custom error page to do an IIS7 redirect from HTTP to HTTPS is that the web browser must have JavaScript enabled for the redirection to work.

Other Methods to IIS7 Redirect HTTP to HTTPS:

Originally posted on Sat Feb 27, 2010

Comments


Mani Bhushan(2014-12-13)

Redirection from http to https for OWA Exchange 2010

When you try to access http://mail.yourcompany.com you got an error Http Error 403.4 – Forbidden

So we can add custom error and redirect to http://mail.yourcompany.com...

1). Start IIS by clicking on Start -> Administrative Tools -> Internet Information Services (IIS) Manager.

2). Left click on "Default Web Site" folder and double click on Error Pages in the right pane (you may need to scroll down).

3). Here comes the final puzzle, Click on "Add..." and type the following:
Status code: 403.4
Response action: Select "Respond with a 302 redirect
Absolute URL: https:// http://mail.yourcompany.com... (substitude with your own address)

Test your OWA by using http. It should redirect to https, if it does not you may need to restart the IIS, and check your steps.

manisha(2014-12-13)

I have used method 2 but my web site is giving the error page as "The website cannot display the page"

Please help.

Dennis King'ori(2016-11-08)

Works perfectly on iis7.5. Thanks so much

ReZolve(2014-12-13)

To answer Dave's query, The <rules> tag goes here:
<configuration>
<system.webserver>
<rewrite>
<rules>
...
</rules>
</rewrite>
</system.webserver>
</configuration>

Or see here for how to create the rule manually: http://www.jppinto.com/2010...

Jai-Jin Lim(2014-12-13)

Dear whom it may concern,

When server detects the TCP connection request on its port 443, is it possible to for server to send out first the HTTP 302 redirect right after ACK and before the client initiates the SSL handshake?

Rick Hicks(2014-12-13)

Method one seems to work fine and is easily done, but what i have noticed with IE and Mozilla Firefox is that the SSL lock no longer shows up in the browser. How can myself or user be sure the session is secure?

Somnath Chandgude(2014-12-13)

Hi Mani Bhushan,
Your suggestion is works. I am able to redirect on HTTPS for my login page... but when I redirected in HTTPS then not able to get in HTTP. we want only https for Login.aspx page...
please advice for the same.

Glen(2014-12-13)

When I follow your last step "click the Custom error pages option and again browse for the redirectToHttps.htm file", I get an error

"There was an error while performing this operation. Details: Lock violation"

Any ideas?

We are running Windows Server 2008 R2 with Exchange 2010

Pawel(2014-12-13)

The http page redirection method no longer works in IIS 7.5 there are changes to security. You will get a lock violation error

RSM032(2014-12-13)

Thank you very much @@@ ReZolve @@@

I went through the url you provide for manually and it done with success, i was trying it for more than 15 days, but finally done by your manual guide.

Thank you very much

Erik B(2014-12-13)

Very Helpful, thank you Mani!

Joy Shutterly(2014-12-13)

I tried method #2 and it works fine but there's a mistake on the page above. The 3 lines in the function should not begin with a '<'. If you remove the starting '<' for those 3 lines the function works. So it should look like this:

var httpURL= window.location.hostname + window.location.pathname + window.location.search;
var httpsURL= "https://" + httpURL;
window.location = httpsURL;

Hope that helps.

Dave(2014-12-13)

My web.config file in the root does not have any <rules> tags and I can't find anything to tell me where to put that section. :(

Robert(2014-12-13)

Thanks, Joy! I have corrected those lines.

Samuel(2014-12-13)

how to modify the rule for subdomain redirection to https? thank you

Robert(2014-12-13)

Hi Dave,

You can add the rules tag inside the rewrite tag. See http://learn.iis.net/page.a... for an example.

kk(2014-12-13)

I did follow up method 2 to switch http to https for company website just typed-in www.***.com at URL by using IIS 7.0 on Windows 2008 server. Thank you very much for sharing knowledge.

Evgeniy(2014-12-13)

All you need to do is to open file "%windir%\System32\inetsrv\config\applicationHost.config" and remove defaultPath from the following line:

<httperrors lockattributes="allowAbsolutePathsWhenDelegated,defaultPath">

Thanks to this Thread: http://forums.iis.net/t/115...

???(2014-12-13)

For everyone having issues i simply followed this tutorial and it worked great the only thing i forgot to do was to make sure you have both bindings and once i added both binding http 80 and https 443 it worked thanks so much for a job well done

Thomas(2014-12-13)

Method 1 worked great for me on our sharepoint 3 website!

C4Gamer(2014-12-13)

Your solution was the simplest and works beautifully.

Sohail(2014-12-13)

After doing all steps in Method 2 i faced this error someone please help.

Error Summary
HTTP Error 500.19 - Internal Server Error
Absolute physical path "C:\inetpub\redirectToHttps.htm" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

Jackie Sheppard(2014-12-13)

This was very bad advice. Hosed my EMC and server. Had to call Microsoft.

Vincent(2014-12-13)

If you are like me and none of these solutions posted online are working for you (Yes, I've done it correctly and tried everything under the sun) there is another way to do it that is guaranteed to work because it doesn't rely on any server settings.

Unfortunately depending on how you've architected your site it might not be quick to implement. For my site it was quick because every page my visitors see is actually an "include" on one "mother" page (for lack of a better term). It's a great way to build a site by the way because you only have to define your header and menu and footer once. Anyway, so I simply added this code to the top of my mother page and voila.

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

If you have actual unique pages that the visitors load then you have to add this code to the top of every page. A bit more tedious but it's still guaranteed to work.

Vincent(2014-12-13)

Not sure why my code wasn't included in my previous comment but it was probably because of the html tags. Anyway let me try this again without the html tags. I was referring to the following javascript:

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

Admin Edit: Thanks, Vincent. I added the code into your original comment.

Tin(2014-12-13)

Thanks a lot. A combination of both solutions worked for me.

FSBarker(2014-12-13)

We were down to the wire at 6:30Am and had to deal with the http to https issue and two of use fount this article. I implemented method 1 and it works like a charm! Thanks so much for a complete and concise article.

Pecos Bill(2014-12-13)

In IIS7, I created a site just to redirect 80 to 443 (https). I then bound that site to 80, left the real site bound to 443 WITH SSL REQUIRED, replaced the custom error page on the new site for error 403 to respond with a 302 and entered the https path I wanted. Lastly, I removed any access to the bogus site for IIS_USER to ensure it hit the error.

None of this required the rewrite module nor any files.

chandra(2014-12-13)

Great help!!!

Dan(2014-12-13)

I couldn't get method 2 to work at the website level but when I set up the error page at the server level it was fine.

mjac(2014-12-13)

Thanks for help

Jace(2014-12-13)

Hi Guys,

I was able to redirect http to https -non standard port(444)by adding rule on the web.config.When i visit the site, site1.com it redirects me to https://site1.com:444.

My question is, is there a way for me to hide or take away the appended port on the URL once it redirects to https?
Not really familiar with this, just copied a rule over the internet and pasted it on the web.config file.

<rule name="Redirect to port 442" stopprocessing="true">
<match url="(.*)"/>
<conditions logicalgrouping="MatchAny">
<add input="{HTTPS}" pattern="^ON$" negate="true"/>
<add input="{SERVER_PORT}" pattern="^444$" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}:444/{R:0}"/>
</rule>

I have use the above code to make it worked for me.
Please advise.

Any help is much appreciated

jace

Robert(2014-12-13)

I'm not aware of any way to do this, Jace. The port number has to remain in the URL if it is a non-standard port.

Mark Keisling Jr.(2014-12-13)

Method 3

I created two sites. One for HTTPS with 443 binding that is hosting my actual site, and another for HTTP with 80 binding.

On the HTTP site, I enabled permanent HTTP redirect and unchecked "Only redirect requests to content in this directory".

I think this method is superior because it uses all out of the box solutions, and it doesn't depend on the client browser to do the redirect.

Cesar(2014-12-13)

Don't change your applicationHost.config file because of the lock violation.

Simply use a relative path to refer to your redirectToHTTPS file in Step 8 then test. No need to do steps 9 & 10.

JHGrove3(2016-03-31)

Thanks, Cesar - I got the lock error, but your solution solved it. Now my redirects are working fine.

JHGrove3(2016-04-01)

I made some enhancements that make it clear that the user is being redirected.

I was particularly concerned about users that didn't have javascript turned on, as they were just getting a blank page.

I also added text to the redirection screen, showing where the correct URL is.

Note that if javascript is turned on, they get the message about being redirected to the correct URL, and they are taken there, but it never prints the paragraphs about needing to use HTTPS.

Conversely, if javascript is turned off, then they never get the redirect message, and they only see the message about using HTTPS or going to the homepage.

Here is the code. Note that I've been forced to replace the < character with &lt; in several places, because it kept trying to interpret the code:

<html>
<head><title>Redirecting...</title></head>
<body>
<script language="JavaScript">
function redirectHttpToHttps()
{
var httpURL= window.location.hostname + window.location.pathname + window.location.search;
var httpsURL= "https://" + httpURL;
document.write("Redirecting to the secure web page: <a href=\"");
document.write(httpsURL);
document.write("\">");
document.write(httpsURL);
document.write("\</a>");
window.location = httpsURL;
}
redirectHttpToHttps();
</script>
<p></p>
<p></p>
<p>The page you requested is only available over a secure connection. Please use HTTPS://
or <a href="https://www.foo.com/">go to our secure homepage</a>.</i></p>
</body>
</html>

NeilD(2014-12-13)

I simply applied step 8 .. did none of the rest BUT chose respond with a 302 redirect then entered the URL with https.

Worked perfectly... no configuring anything and no issues, no javascript

samot1(2016-09-28)

can confirm this - only one drawback of this solution: it ignores the original URL (so http://www.mypage.com/myfol... would always be redirected to https://www.mypage.com or whatever you specified as redirection page)

Jessica (2016-12-08)

This worked great for me.

MarkQ(2017-01-16)

This is worked for me too.

NK(2017-03-09)

Worked perfectly fine just with step 8. Only difference I have observed is on there's a latency in response times.

Franz(2018-11-13)

Worked very well for me too

Bennett(2014-12-13)

Method #1 worked great on my site. Had to use this method because host has me limited to one site for both 80 and 443. Thanks much!

Bennett(2014-12-13)

Okay, Method #3 Release Candidate 510: I started looking for a way to make Google PageSpeed happy while securing my MVC app. Since my app is MVC I just put the &#91RequireHttps&#93 attribute on the AccountController class. I could have specified which specific Actions I wanted to &#91RequireHttps&#93 on but to me it makes sense to force HTTPS on the whole section. After logging in, when users follow the links for the other controllers everything is still HTTPS. This minimizes the number of redirects for Google to get upset about and secures the whole app (as long as users don't manually type in HTTP URLs after logging in).

Rick(2015-04-15)

Yes. agree with NeilD. Any reason a redirect is not the answer here. It works for me.

Thanks

Ashok(2015-05-04)

hi once after clicking on OK button after completion of all the steps that are mentioned above, I m getting an error saying that lock violation. how to fix that error

The Evil Truth(2015-05-22)

Method 1 does not work in IIS 8.5.

Well not until you realize the sys admin did not enable HTTP REDIRECT in server manager roles and features. It works now!

Uttam Shah(2015-10-12)

For IIS 8 Redirect to HTTPS from HTTP watch this video https://www.youtube.com/wat...

Abraham Ortiz(2015-11-14)

Very good! Idid evryting you said and Works perfectly! Thanks :)

Jesse(2016-03-18)

Good tutorial, thanks, worked for me.

Lee Adams(2016-05-02)

Thank you! This worked great and was by far the simplest solution for my AngularJS site.

Randy(2016-08-04)

Awesome! I used this for my AngularJS site. The instructions here worked perfectly in IIS 7.5.

Kiran Oza(2017-06-07)

Awsome..it works..thank u

navneet kumar(2017-07-07)

Awesome.... thanks... :)

Sumit Sinha(2017-08-11)

Can this work on API URLs?

SSL Shopper(2017-08-11)

Yes, this can work on any type of URL.

myVillage, Inc(2018-04-18)

For some reason the web.config code just would not work on our server. The very clear instructions provide int he above video worked very well for me. Check out redirect in action to https at www.myvillage.us.

Jonelli(2018-07-10)

Thanks, this was what I needed to do.

Kurt Gengenbach(2020-05-02)

Thank-you for this. I couldn't get it to work using instructions from another source and your in-depth explanation and calling out each character made my realize that I was incorrectly using (HTTPS) with parenthesis instead of {HTTPS} with braces.

snmohanty321(2016-07-29)

Step 10 show lock violation error.

Rodrigo Rocha(2016-09-23)

GREAT!!! SIMPLE! AND EAASY TO DO. THANK YOU!!!

Deadly-Bagel(2016-10-19)

Couldn't get it to work on IIS 8.5 with Windows Authentication, kept giving me a permissions error. Browsing through the comments I pieced together a solution, create a new website for HTTP port 80 and point it to the htm file in step 5 as a default document. Works like a charm.

popstar(2016-11-30)

Thanks for this... I tried the URL Rewrite method but it's not retaining the subfolder part of the path. It redirects to the root of the host. I have this URL Rewrite rule applied to a subfolder several directories down from the root.

http://test.example.edu/sub...
redirects to:
https://test.example.edu

<rewrite>
<rules>
<clear/>
<rule name="HTTP to HTTPS redirect" enabled="true" stopprocessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirecttype="Found"/>
</rule>
</rules>
</rewrite>

Sagar Mehta(2016-12-23)

if i have query string like http://abc.com?p=xyz then what is the change in bellow code

<rule name="HTTP to HTTPS redirect" stopprocessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off" ignorecase="true"/>
</conditions>
<action type="Redirect" redirecttype="Found" url="https://{HTTP_HOST}/{R:1}"/>
</rule>

Tukaro(2017-02-16)

Oh man, I was an idiot and didn't fully read directions, leading to a goose chase. To keep others from going on my quest:

If you click on "Add" under Error Pages and DO NOT see a "Response Action" section, that most likely means you have gone to the ".NET Error Pages" under the "ASP.NET" section of your website. Go back to the "Home" and this time click on "Error Pages" under the "IIS" section, just like the instructions show and say (and my dumb head completely skipped over.)

Ray Moncada(2017-05-15)

I did method 1, worked perfectly.
Which is the recommended method for SEO?

nibba(2017-06-04)

Doesn't work on iis 10.

Kumar Rakesh(2017-08-08)

Thanks for this... I tried the Method 1 and works like charm
for example
http://interviewfunda.com/
redirects to:
https://interviewfunda.com/

Martin Garcia Jakobsen(2018-05-14)

I know this is an old post but I’m facing the issue now. I have a site example http://papeldeazucar.com/ti... and I want the users to be redirected automatically to https://papeldeazucar.com/t... so it’s the same page but just changing the http to https so that they didn’t get redirected to the front page. On the other hand, is there a simple way to do this without loosing pagerank like a 301?, thanks

Martin Garcia Jakobsen(2018-06-20)

Does any one knows how to do this?

Chin Diesel(2018-06-29)

Yeah, a simple fix would be to just add a header called "Strict-Transport-Security" and make the value "max-age=31536000; includeSubdomains". The strict-transport-security header will force the use of SSL only, so all requests will automatically get upgraded to SSL, and you don't have to worry about error messages. Besides, a verbose error message like example 4 reveals sensitive information, such as the location of your website. This aids attackers by giving them internal info that they can use to simplify their attacks.

Martin Garcia Jakobsen(2018-06-30)

Thanks I’ll have a look!

Found this, not surre if it will work, I’m on a IIS:

<configuration>
<system.webserver>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopprocessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off" ignorecase="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirecttype="Permanent"/>
</rule>
</rules>
<outboundrules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match servervariable="RESPONSE_Strict_Transport_Security" pattern=".*"/>
<conditions>
<add input="{HTTPS}" pattern="on" ignorecase="true"/>
</conditions>
<action type="Rewrite" value="max-age=31536000"/>
</rule>
</outboundrules>
</rewrite>
</system.webserver>
</configuration>

jann12392(2020-06-05)

Hi, I know this is an old post..hopefully I can still get a response.
The method worked for me but when I visit my site, it still says Not Fully Secured.
I already fixed the mixed content issues and when I checked it on whynopadlock, there's a warning saying it doesn't Force HTTPS, even though I already did the redirect is there anything else I need to do to avoid the warning? Thank you..

SSL Shopper(2020-06-05)

Hi Jann. I'm not sure what WhyNoPadlock is checking but you probably need to require https using a different method than this one (or try the other method since there are two listed here).

jann12392(2020-06-08)

Hi, thank you for the response. It appears that I needed to update TLS 1.0 to TLS 1.2. Now my site is secure

SSL Shopper(2020-06-08)

Thanks for the update. I'm glad to hear it was a simple change.

Mayank(2020-06-25)

Well, this is a good article. I still have a doubt.
If I want to run on different domains (domain1.com, domain2.com) on the same iis site with two bindings.
Now, Which URL Rewrite rules will redirect domain1.com to domain3.com & similarly domain2.com to domain4.com

Save

Advertisement • Hide