Setting Up HTTPS Redirects in IIS and Securing Your URLs

Microsoft IIS.

In order to force your website to load over SSL, you will likely need to build in redirect to push all unsafe URLs to their secure counterpart. This is necessary to be sure that all users and pages support and use your SSL certificate to encrypt communications between your web server and the visitor.

Why would I need to redirect from HTTP to HTTPS?

To properly secure your website with SSL certificates, you may decide to embed redirects on your website, forcing everything http URL to redirect to secure https URL, (that is, redirect to That way, whatever URL a user visits on your site, they’ll automatically be directed to the secure version of that page.

Without redirects in place, some users or pages may access insecure URLs and will not enjoy the benefits of having an SSL certificate in place. Let’s see how to integrate these changes into IIS with the URL Rewrite Redirection module!

Access the redirection module

The first thing to do is to access our redirect module. To do this, open IIS Manager (inetmgr.exe), expand your server, and select the site where you want to embed the redirects.

In the main window pane, scroll down until you find “URL Rewrite” under the IIS subcategory and double-click this icon.

If you don’t see this module, you will need to install it from the official IIS website, here.

Note that the URL Rewrite Module is only available for IIS 7 or higher.

Creating your first redirect rule

Now that you have opened the URL rewrite module, select “Add one or more rules” from the action menu at the top right. We are going to create a blank rule.

    Create a blank rule,

To create a redirect rule that forces all HTTP URLs to HTTPS, you will need to create a rule with the following parameters:

Requested url: Corresponds to the model
Using: Regular expressions
Patten: (. *)

… With the “Ignore” box Checked.

By setting the pattern to (. *) And matching regular expressions, the redirect rule will match and process any URL it receives. The regular expression pattern (. *) Matches all possible combinations of characters in the URL.

Once these settings are in place, scroll down to the “Conditions” section and expand the drop-down menu.

Select “Add” and enter the following parameters:

Condition entry: {HTTPS}
Check if the input string: Corresponds to the model
Model: ^ OFF $

Click OK. “

Now on the “Edit Inbound Rule” page for our new rule, scroll down to the “Action” section.

You’ll set the action type to “Redirection” and enter the following URL in the Redirection URL section:


Make sure to uncheck “Add Query String” and make sure the redirect type is “Permanent (301)”.

Note: If you’re having trouble with redirecting at the end of this article, another option to try for your redirect URL would be:

https: // {HTTP_HOST} / {R: 1}

We use permanent redirects (301) for our site because we want all unsafe URLs to be automatically and permanently redirected to the secure https version of the URL. There are several other types of redirects available, but the 301 redirect will allow our website to behave the way we want it to be for HTTPS.

Once you have confirmed that all of the above settings are correct, select “Apply” from the Actions pane at the top right.

Testing redirects to confirm redirecting all website URLs to HTTPS

Once you’ve applied the new redirect rule to your website, you can now test the redirect in your browser.

To make sure your browser is not using cached data upon access, open a “Private” or “Incognito” window and navigate to any http URLs on your site.

When accessing these URLs, it should automatically redirect to the HTTPS version of your page. Assuming you have already tested your SSL certificate before redirecting, when your unsecured URL is redirected, it should now display https and a secure lock icon near the URL bar.

If you are having trouble with your redirect or find that it is not redirecting correctly, it is in our best interest to check the web.config file in the associated website to be sure our redirect rule has been added correctly.

You can verify this by going to your site in IIS, right-clicking on its name, and selecting “Explore.”

Check the web.config file on the associated website.

This will take you to the root directory of your website where you will find a file named web.config. Open this file in Notepad to view its contents.

Your web.config should contain the following information somewhere in its content:

If you don’t have a section that says so in your web.config file, add the above code block right before closing tag and save your file.

You should now be able to access all of the http URLs on your website and see that they redirect to the secure https URL! Congratulations, all your site pages and URLs are redirected to their secure counterpart!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.