Last updated: 28 April 2021

If your website has an SSL certificate you probably want all website traffic to use the HTTPS protocol rather than HTTP. To do so, you need to redirect traffic from HTTP to HTTPS.

Linux (.htaccess)

Most of our Linux servers run Apache and come with cPanel. The easiest way to force HTTPS on cPanel servers is via cPanel’s Domains interface. All you have to do is toggle the Force HTTPS Redirect option to On.

The 'Force HTTPS' option in cPanel's 'Domains' interface.
Image: the Force HTTPS Redirect option in cPanel.

In the background, cPanel creates a redirect rule in the .htaccess file. The rule looks like this:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} ^example\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.net$
RewriteRule ^(.*)$ "https\:\/\/example\.net\/$1" [R=301,L]

This rule redirects to and to

If you also want your domain to either always or never use the the ‘www’ subdomain then you need to manually add a rule to the .htaccess file. You can copy and paste the below code examples.

Redirect to non-WWW and HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Redirect to WWW and HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

There are more examples of managing redirects in our article about cPanel redirects.

Windows (web.config)

On our Windows servers you can add a rule to the web.config file:

        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />

If the <rules> sections already exists in the web.config file then you can simply add the <rule> block to the existing section.

Checking redirects

It’s always a good idea to make sure that redirects work as expected. If you got cURL installed on your computer then you can run the command curl -IL $domain, where $domain is the domain you want to check.

The command produces a fair bit of output. The main thing to look for are the lines that start with HTTP and Location. These lines show the Apache status code (such as 200, 301 or 302) and, in the case of a 301 or 302 redirect, what the destination of the redirect is.

To give an example, our website always uses the ‘www’ subdomain. The below cURL command shows that first redirects to and then to We added the --silent option and piped the output to grep to filter the information we are interested in:

$ curl -IL --silent | grep -E "^(HTTP|Location)"
HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
HTTP/1.1 200 OK