IIS7 Redirect HTTP to HTTPS

Compare SSL Certificates

Redirecting all traffic from HTTP to HTTPS in IIS7 will make sure your users always access the site securely. There are many different ways to set up an IIS7 Redirect from HTTP to HTTPS and some are better than others. The ideal HTTP to HTTPS redirect would do the following:

  • Gently redirect users to HTTPS so users don’t have to type in “https” in the URL
  • Redirect users to the specific page that they were going to go to on HTTP (page.htm)
  • Save any variables passed in the query string (?page=2)
  • Work in all browsers
  • Transfer PageRank to the redirected page by using a 301 redirect, maintaining SEO
  • Allow specific parts of a site to force SSL but allow HTTP on other parts of the site
  • Redirect users from mydomain.com to www.mydomain.com

Unfortunately, there isn’t an easy way to satisfy all of these requirements, and most methods only satisfy a few of them. The best method of doing an HTTP to HTTPS redirect I’ve seen involves using ASP.Net to do the HTTP to HTTPS redirection.

But most people don’t need all of those features, so I have listed two of the best methods of redirecting HTTP to HTTPS in IIS 7. They are easy to set up and effective in most situations.

Method 1 – Using Microsoft URL Rewrite Module

For this method of redirecting from HTTP to HTTPS, you will need to do the following;

  1. Install the Microsoft URL Rewrite Module
  2. Install your SSL certificate in IIS 7 and bind it to your website
  3. Make sure Require SSL is NOT checked under SSL Settings for your website (uncheck the boxes that are checked in this screenshot)

  4. Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.

    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
    </rule>

  5. Test the site by going to http://www.yoursite.com and making sure it redirects

Method 2 – Setting up a Custom Error Page

The second method of setting up an IIS7 redirect HTTP to HTTPS is to Require SSL on the site or part of the site and set up a custom 403.4 error page. To do this, just following these steps:

  1. Install your SSL certificate in IIS 7 and bind it to your website
  2. In IIS, click on the site name, and go to the SSL Settings section

  3. Check Require SSL and Require 128-bit SSL and click Apply

  4. After doing this, users will normally receive this error:

  5. Create a new text file and paste the following into it:

    <html>
    <head><title>Redirecting...</title></head>
    <script language="JavaScript">
    function redirectHttpToHttps()
    {
        var httpURL= window.location.hostname + window.location.pathname + window.location.search;
        var httpsURL= "https://" + httpURL;
        window.location = httpsURL;
    }
    redirectHttpToHttps();
    </script>
    <body>
    </body>
    </html>

  6. Save the file as redirectToHttps.htm in your C:\Inetpub directory
  7. Back in IIS, click on the site name and double-click the Error Pages option

  8. Click Add… and enter 403.4 as the Status code. Browse for the redirectToHttps.htm file you just created and click OK


  9. Select the error code and press Edit Feature Settings…

  10. Click the Custom error pages option and again browse for the redirectToHttps.htm file

  11. Test the site by going to http://www.yoursite.com and making sure it redirects

A caveat of using a custom error page to do an IIS7 redirect from HTTP to HTTPS is that the web browser must have JavaScript enabled for the redirection to work.

Other Methods to IIS7 Redirect HTTP to HTTPS:

Originally posted on Sat Feb 27, 2010

Comments (34)

  1. Mark Keisling Jr.:
    Jun 11, 2014 at 02:37 PM

    Method 3 I created two sites. One for HTTPS with 443 binding that is hosting my actual site, and another for HTTP with 80 binding. On the HTTP site, I enabled permanent HTTP redirect and unchecked "Only redirect requests to content in this directory". I think this method is superior because it uses all out of the box solutions, and it doesn't depend on the client browser to do the redirect.

  2. Cesar:
    Mar 21, 2014 at 06:58 AM

    Don't change your applicationHost.config file because of the lock violation. Simply use a relative path to refer to your redirectToHTTPS file in Step 8 then test. No need to do steps 9 & 10.

  3. Robert:
    Feb 16, 2014 at 09:09 AM

    I'm not aware of any way to do this, Jace. The port number has to remain in the URL if it is a non-standard port.

  4. Jace:
    Feb 11, 2014 at 02:18 PM

    Hi Guys, I was able to redirect http to https -non standard port(444)by adding rule on the web.config.When i visit the site, site1.com it redirects me to https://site1.com:444. My question is, is there a way for me to hide or take away the appended port on the URL once it redirects to https? Not really familiar with this, just copied a rule over the internet and pasted it on the web.config file. I have use the above code to make it worked for me. Please advise. Any help is much appreciated jace

  5. mjac:
    Jan 29, 2014 at 02:12 AM

    Thanks for help

  6. Dan:
    Jan 22, 2014 at 09:04 PM

    I couldn't get method 2 to work at the website level but when I set up the error page at the server level it was fine.

  7. FSBarker:
    Oct 04, 2013 at 10:05 AM

    We were down to the wire at 6:30Am and had to deal with the http to https issue and two of use fount this article. I implemented method 1 and it works like a charm! Thanks so much for a complete and concise article.

  8. Pecos Bill:
    Sep 25, 2013 at 01:33 PM

    In IIS7, I created a site just to redirect 80 to 443 (https). I then bound that site to 80, left the real site bound to 443 WITH SSL REQUIRED, replaced the custom error page on the new site for error 403 to respond with a 302 and entered the https path I wanted. Lastly, I removed any access to the bogus site for IIS_USER to ensure it hit the error. None of this required the rewrite module nor any files.

  9. chandra:
    Sep 25, 2013 at 04:06 AM

    Great help!!!

  10. Tin:
    Jul 12, 2012 at 12:44 AM

    Thanks a lot. A combination of both solutions worked for me.

  11. Vincent:
    Mar 28, 2012 at 08:27 AM

    Not sure why my code wasn't included in my previous comment but it was probably because of the html tags. Anyway let me try this again without the html tags. I was referring to the following javascript: if(window.location.protocol != "https:"){ var oldURL = window.location.href var newURL = oldURL.replace("http:","https:"); window.location = newURL; } Admin Edit: Thanks, Vincent. I added the code into your original comment.

  12. Vincent:
    Mar 27, 2012 at 07:23 PM

    If you are like me and none of these solutions posted online are working for you (Yes, I've done it correctly and tried everything under the sun) there is another way to do it that is guaranteed to work because it doesn't rely on any server settings. Unfortunately depending on how you've architected your site it might not be quick to implement. For my site it was quick because every page my visitors see is actually an "include" on one "mother" page (for lack of a better term). It's a great way to build a site by the way because you only have to define your header and menu and footer once. Anyway, so I simply added this code to the top of my mother page and voila. if(window.location.protocol != "https:"){ var oldURL = window.location.href var newURL = oldURL.replace("http:","https:"); window.location = newURL; } If you have actual unique pages that the visitors load then you have to add this code to the top of every page. A bit more tedious but it's still guaranteed to work.

  13. Jackie Sheppard:
    Mar 14, 2012 at 04:00 PM

    This was very bad advice. Hosed my EMC and server. Had to call Microsoft.

  14. ???:
    Feb 05, 2012 at 10:53 AM

    For everyone having issues i simply followed this tutorial and it worked great the only thing i forgot to do was to make sure you have both bindings and once i added both binding http 80 and https 443 it worked thanks so much for a job well done

  15. C4Gamer:
    Dec 08, 2011 at 12:42 PM

    Your solution was the simplest and works beautifully.

  1. 1
  2. 2
  3. 3




Allowed tags: <b><i><br>Add a new comment: