Redirect to HTTPS
Learn how to redirect HTTPS sites.
The standard best practice when using HTTPS is to set an HSTS header to force connections over HTTPS only.
This configuration is recommended as part of the going live procedure. Configure these settings after connecting a custom domain in the Site Dashboard when you're ready to launch the site.
Set HSTS with Pantheon.yml
This is the preferred method of setting HTTPS & HSTS for your site.
Locate the
enforce_httpssetting in your site's pantheon.yml file.Select one of the values in the table below to direct the
enforce_httpssetting.
Before adjusting enforce_https, review and understand the configuration options and all considerations to avoid unintended consequences.
If you use a plugin or module to set your HSTS header, it will create a duplicate header. Disable enforce_https in pantheon.yml to avoid an invalid policy.
Use of the HSTS header is defined by the enforce_https directive, and takes five possible values which are handled by Pantheon as shown below:
| enforce_https: | Redirect | HSTS | Strict-Transport-Security | includeSubdomains | preload |
|---|---|---|---|---|---|
off | ❌ | Disabled | Not set by Pantheon | ❌ | ❌ |
transitional (default) | ✔ | Enforced | max-age=300 | ❌ | ❌ |
transitional+subdomains | ✔ | Enforced | max-age=300 | ✔ | ❌ |
full | ✔ | Enforced | max-age=31622400 | ❌ | ❌ |
full+subdomains | ✔ | Enforced | max-age=31622400 | ✔ | ✔ |
For example, to set enforce_https as off:
enforce_https: offConsiderations
- Use of
fullorfull+subdomainsshould be treated as a commitment. HSTS headers are cached by browsers for the duration of the max-age period. If your site is unable to serve HTTPS (for example, by moving to a host that doesn't support HTTPS), visitors will be unable to access your site. - Any option with
+subdomainsshould only be used if you want to enforce HTTPS for all subdomains, even those not connected to Pantheon. - To prepare your site to serve all content via HTTPS, follow the Switching Sites from HTTP to HTTPS doc.