11

Another question asked quite often by the Netlify community. "Can Netlify redirect traffic from http to https without forcing SSL (TLS)?"

Once you have a certificate in place, you can check a box to force TLS. This will both set a redirect from http to https, and add Strict Transport Security headers to all requests.

The user does not want to force SSL until everything is setup correctly and they know they will not be changing their setup.

talves
  • 13,993
  • 5
  • 40
  • 63

2 Answers2

15

November 2018 Update

The accepted answer is no longer true

Currently, as of November 2018 (since July 2018) all new sites on Netlify are HTTPS with force redirect turned on by default and you cannot turn it off.

See the blog post:

and this issue on GitHub:

Even for old sites, the option to turn off HTTPS or to turn off the redirect to HTTPS is no longer available:

enter image description here

rsp
  • 107,747
  • 29
  • 201
  • 177
  • Sorry @rsp. Answered so many questions for Netlify. Reviewed and knew this, but forgot about the question. Marked accepted! Noticed it wasn't marked any longer. – talves Aug 05 '21 at 22:41
11

Netlify does allow you to force TLS. It is recommended to not 'force TLS' until you are certain all URL's work with https

Don’t check the ‘force TLS’ option until you are certain that all of your URL’s work with an ‘https://’ in front!

Why?

Once you force TLS using Netlify they will set the STS (Strict-Transport-Security) header in your page response headers. I will not go through the explanation but you can read about it here.

The main thing to know is:

Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS

Note that Netlify's settings (using the force TLS checkbox) are to have the visiting browsers enforce this for 1 year past visit date! So, if you have anything that fails on https, your site is going to have some issues until you are able to fix them.

Wait!

You still want your site to always serve up https pages once you add the certificate, but not have it forced while testing or working through issues.

Solution:

Use the _redirects file at the root of your deployed site (in your "Publish directory, next to index.html) to redirect traffic to https.

Here is an example of the file

_redirects

# redirect netlify sitename to your sitename for SEO purposes,
# to avoid duplicate content.  Do this for http and https
https://example.netlify.com/* https://www.example.com/:splat 301!
http://example.netlify.com/* http://www.example.com/:splat 301!

# also redirect http to https for your custom domain.
# Note that netlify automatically redirects to your custom domain from the bare domain (or vice versa), so you only need one rule here.
http://www.example.com/* https://www.example.com/:splat 301!

Or the same redirects using Structured Redirects

netlify.toml

[[redirects]]
  from = "https://example.netlify.com/*"
  to = "https://www.example.com/:splat"
  status = 301
  force = true

[[redirects]]
  from = "http://example.netlify.com/*"
  to = "http://www.example.com/:splat"
  status = 301
  force = true

[[redirects]]
  from = "http://www.example.com/*"
  to = "https://www.example.com/:splat"
  status = 301
  force = true

NOTE:

  • Netlify already redirects the bare domain to www subdomain (optional)
  • It's recommended to use www as your custom domain, to take full advantage of Netlify CDN with ANY DNS setup.
  • redirects the netlify subdomain site to custom domain (optional)
  • redirects http to https for all paths
talves
  • 13,993
  • 5
  • 40
  • 63