Always Use HTTPS
Always Use HTTPS redirects all your visitor requests from http
to https
, for all subdomains and hosts in your application.
Cloudflare recommends not performing redirects at your origin web server, as this can cause redirect loop errors.
Availability
Free | Pro | Business | Enterprise | |
Availability | Yes | Yes | Yes | Yes |
Encrypt all visitor traffic
To redirect traffic for all subdomains and hosts in your application, you can enable Always Use HTTPS.
To enable Always Use HTTPS in the dashboard:
- Log in to your Cloudflare account and go to a specific domain.
- Go to SSL/TLS > Edge Certificates.
- For Always Use HTTPS, switch the toggle to On.
To enable or disable Always Use HTTPS with the API, send a PATCH
request with the value
parameter set to your desired setting ("on"
or "off"
).
Encrypt some visitor traffic
If you only want specific subdomains redirected to HTTPS, redirect on a URL basis using Cloudflare Bulk Redirects.
For example, you could forward traffic from a specific subdomain to HTTPS. You would likely want to include Subpath matching and Preserve path suffix to ensure requests to http://example.com/examples
go to https://example.com/examples
.
Source URL | Target URL | Status | Selected parameters |
---|---|---|---|
http://example.com | https://example.com | 301 | Subpath matching and Preserve path suffix |
Limitations
Forcing HTTPS does not resolve issues with mixed content, as browsers check the protocol of included resources before making a request. You will need to use only relative links or HTTPS links on pages that you force to HTTPS. Cloudflare can automatically resolve some mixed-content links using our Automatic HTTPS Rewrites functionality.