Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Always Use HTTPS

Always Use HTTPS redirects all http requests to https for all subdomains and hosts in your application.

Cloudflare recommends not performing redirects at your origin web server, as this can cause redirect loop errors.

​​ Availability

FreeProBusinessEnterprise

Availability

YesYesYesYes

​​ Encrypt all visitor traffic

To redirect traffic for all subdomains and hosts in your application, you can enable Always Use HTTPS.

To enable Always Use HTTPS in the dashboard:

  1. Log in to your Cloudflare account and go to a specific domain.
  2. Go to SSL/TLS > Edge Certificates.
  3. For Always Use HTTPS, switch the toggle to On.
To enable or disable Always Use HTTPS with the API, send a PATCH request with the value parameter set to your desired setting ("on" or "off").

​​ Encrypt some visitor traffic

​​ Configuration rules

If only some parts of your application can support HTTPS traffic, use Configuration Rules to selectively disable Always Use HTTPS.

​​ Redirects

If you only want specific subdomains redirected to HTTPS, redirect on a URL basis using Cloudflare Bulk Redirects.

For example, you could forward traffic from a specific subdomain to HTTPS. You would likely want to include Subpath matching and Preserve path suffix to ensure requests to http://example.com/examples go to https://example.com/examples.

Source URLTarget URLStatusSelected parameters
http://example.comhttps://example.com301Subpath matching and Preserve path suffix

​​ Limitations

Forcing HTTPS does not resolve issues with mixed content, as browsers check the protocol of included resources before making a request. You will need to use only relative links or HTTPS links on pages that you force to HTTPS. Cloudflare can automatically resolve some mixed-content links using our Automatic HTTPS Rewrites functionality.