Introduction

A broken HTTP to HTTPS redirect usually means more than one layer is trying to control the same behavior. The CDN, load balancer, web server, and application may each have their own redirect logic, and those rules do not always agree. When they conflict, some requests stay on HTTP, others loop, and some land on the wrong hostname. The safest fix is to decide which layer owns the redirect and make every other layer support that path instead of competing with it.

Symptoms

  • HTTP requests do not redirect to HTTPS consistently
  • Some URLs redirect correctly while others stay on HTTP or loop
  • The issue started after enabling a CDN, proxy, or SSL plugin
  • The apex domain and www hostname behave differently
  • Browser tools show repeated redirects, mixed protocols, or wrong host transitions

Common Causes

  • Multiple redirect rules exist across the proxy, server, and application
  • Proxy headers do not correctly tell the origin whether the request was HTTPS
  • Application base URL or canonical host settings still point to HTTP
  • Rewrite rules differ between the apex domain, www, and subdomains
  • A CDN or load balancer terminates SSL but the origin still applies conflicting redirect logic

Step-by-Step Fix

  1. Map the full request path from browser to CDN, load balancer, origin, and application so you know where HTTPS is terminated.
  2. Decide which layer should own the HTTP to HTTPS redirect and remove duplicate logic from other layers where possible.
  3. Test the apex domain, www, and any subdomains separately because they often use different rules or certificates.
  4. Verify proxy headers such as forwarded protocol indicators so the origin knows whether the visitor already arrived over HTTPS.
  5. Check application URL settings and canonical host configuration to make sure internal links and redirects target the intended HTTPS hostname.
  6. Review rewrite rules, page rules, and redirect plugins for broad patterns that accidentally override each other.
  7. Retest with browser developer tools or command-line requests so you can inspect each hop in the redirect chain.
  8. Enable HSTS only after the HTTPS redirect path is fully correct and stable across all intended hostnames.
  9. Document redirect ownership so future CDN, SSL, or hosting changes do not reintroduce conflicting protocol rules.