Redirect HTTP to Force HTTPS
Redirecting HTTP to HTTPS isn't just about encryption - it's also a requirement for many compliance and audit-ready initiatives. This guide shows you how to force HTTPS in IIS using a simple web.config rule, keeping your intranet traffic fully secure and meeting best practices.
IIS / web.config
After setting up your self-signed, standard, or wildcard SSL certificate, you can use IIS URL Rewrite rules to automatically force HTTPS for all requests.
Step-by-Step:
- Make sure the URL Rewrite Module is installed on your IIS server.
- Open or edit your site's
web.configfile in Notepad or similar. - Inside the
<system.webServer>section, add the following rule:
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>Once saved, all HTTP requests will automatically redirect to HTTPS.
Still deciding which certificate type is best? See our SSL for Intranets overview to compare self-signed, standard, and wildcard certificates.
Troubleshooting Common Issues
- Check that your SSL certificate is valid and installed correctly before forcing HTTPS.
- Make sure you don't have conflicting rewrite rules that create redirect loops.
- If you run multiple bindings or host headers, ensure the host name matches the SSL certificate's common name.
Related Pages
- SSL for Intranets - Overview page covering internal CAs, wildcard certs, standard certs, and more
- Self-Signed Cert for Windows Server - Step-by-step guide for installing and deploying
- Internal Certificate Authority (CA) - When and how to set up your own internal CA
- Renew an SSL Certificate in IIS - Avoid unexpected expirations
- Azure App Registration for Intranets - Enable secure API access for email, SharePoint, and login
- Bank Intranet Solutions
- Credit Union Intranet Solutions