Redirect to HTTPS

Learn how to redirect HTTPS sites.

Discuss in our Forum Discuss in Slack

The standard best practice when using HTTPS is to set an HSTS header to force connections over HTTPS only.

This configuration is recommended as part of the going live procedure. Configure these settings after connecting a custom domain in the Site Dashboard when you're ready to launch the site.

Set HSTS with Pantheon.yml

This is the preferred method of setting HTTPS & HSTS for your site.

  1. Locate the enforce_https setting in your site's pantheon.yml file.

  2. Select one of the values in the table below to direct the enforce_https setting.


Before adjusting enforce_https, review and understand the configuration options and all considerations to avoid unintended consequences.

If you use a plugin or module to set your HSTS header, it will create a duplicate header. Disable enforce_https in pantheon.yml to avoid an invalid policy.

Use of the HSTS header is defined by the enforce_https directive, and takes five possible values which are handled by Pantheon as shown below:

offDisabledNot set by Pantheon
transitional (default)Enforcedmax-age=300
full Enforcedmax-age=31622400
full+subdomains Enforcedmax-age=31622400

For example, to set enforce_https as off:

enforce_https: off


  • Use of full or full+subdomains should be treated as a commitment. HSTS headers are cached by browsers for the duration of the max-age period. If your site is unable to serve HTTPS (for example, by moving to a host that doesn't support HTTPS), visitors will be unable to access your site.
  • Any option with +subdomains should only be used if you want to enforce HTTPS for all subdomains, even those not connected to Pantheon.
  • To prepare your site to serve all content via HTTPS, follow the Switching Sites from HTTP to HTTPS doc.

More Resources