Step-by-step instructions for redirecting HTTP traffic to HTTPS on Microsoft IIS 7X+

Redirection HTTP to HTTPS is a necessary part of installing an SSL certificate. The SSL certificate is like a driver’s license. It can provide authenticating information about the entity that holds it, and it also allows certain permissions. In the case of the license, you get permission to use the roads. With SSL, you get permission to serve your website via HTTPS and form secure encrypted connection via the SSL/TLS protocol.

http to https redirection

There are actually multiple methods for setting up an HTTP to HTTPS redirect. And some are better than others. Ideally, your HTTP to HTTPS redirect in IIS should:

  • Redirect users so they don’t have to manually type https:// at the start of your URL
  • Redirect users to the page they intended to go to in the first place
  • Save the variables contained in the query string
  • Work with all browsers
  • Transfer SEO and page rank to the new HTTPS page
  • Redirect users from the non-WWW URL to the WWW one, or vice versa

Remember, when you’re migrating to HTTPS, you’re not just flipping some switch. You’re literally making new versions of every page on your website and redirecting to those. That’s why doing your HTTP to HTTPS redirect correctly is so critical, you could lose all your rankings overnight if you mess this up.

No pressure, right?

Don’t worry, we have you covered. Here are the best three methods for creating an HTTP to HTTPS redirect in IIS 7 and all higher versions:

Method 1: Use the IIS URL Rewrite Module

You’re going to need to install the URL rewrite module before you can use this method. It’s not hard.

Download from here:

When you install the URL rewrite module it will be under the IIS section.

  1. Install your SSL certificate and bind it to your website
  2. Under SSL setting, toggle “Require SSL” off
  3. Add the following code between the <Rules> tags:
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
    <match url="(.*)" />
          <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
  4. Now add the code below to the web.config file at the root of your site:
    <?xml version="1.0" encoding="UTF-8"?>
            <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
            <match url="(.*)" />
            <conditions logicalGrouping="MatchAny">
              <add input="{SERVER_PORT_SECURE}" pattern="^0$" />
            <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />

If you want to include the query string in the re-written URL, then you can add appendQueryString=”true” under the action section.

Method 2: Use IIS Default Document

This is fairly easy, just introduce a sample ASP page at the website’s root and add the following code:

<% If Request.ServerVariables("HTTPS") = "off" Then Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("UNENCODED_URL") ElseIf Request.ServerVariables("HTTPS") = "on" Then Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("UNENCODED_URL") End If %>

Method 3: Use IIS HTTP Redirect Module

This last method is NOT IDEAL. So, in the interest of providing you with the best advice, we are going to advise against using this method.

Important Resources to Read

SSL Certificate for Microsoft IIS Server

Know which SSL Certificates and Certificate Authorities suits best on Microsoft IIS Server 7X and its higher version and how to get the SSL at the cheapest prices.

Buy SSL Certificates at Only $5.45


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.