Always Use HTTPS

Always Use HTTPS redirects all your visitor requests from http to https, for all subdomains and hosts in your application.

Note

This process does not impact certificate validation. If you use HTTP DCV, you can still enable Always Use HTTPS.

Cloudflare recommends not performing redirects at your origin web server, as this can cause redirect loop errors.

Availability

	Free	Pro	Business	Enterprise
Availability	Yes	Yes	Yes	Yes

Encrypt all visitor traffic

To redirect traffic for all subdomains and hosts in your application, you can enable Always Use HTTPS.

Note

If only some parts of your application can support HTTPS traffic, do not enable Always Use HTTPS and use a single redirect to selectively perform the redirect to HTTPS. Refer to Redirect admin area requests to HTTPS for an example.

Dashboard

To enable Always Use HTTPS in the dashboard:

1. Log in to your Cloudflare account ↗ and go to a specific domain.
2. In SSL/TLS > Overview, make sure that your SSL/TLS encryption mode is not set to Off. When you set your encryption mode to Off, the Always Use HTTPS option will not be visible in your Cloudflare dashboard.
3. Go to SSL/TLS > Edge Certificates.
4. For Always Use HTTPS, switch the toggle to On.

API

To enable or disable Always Use HTTPS with the API:

1. Make sure that your SSL/TLS encryption mode is not set to Off.
2. Send a PATCH request with always_use_https as the setting name in the URI path, and the value parameter set to your desired setting ("on" or "off").

Limitations

Forcing HTTPS does not resolve issues with mixed content, as browsers check the protocol of included resources before making a request. You will need to use only relative links or HTTPS links on pages that you force to HTTPS. Cloudflare can automatically resolve some mixed-content links using our Automatic HTTPS Rewrites functionality.