Fixing HTTP to HTTPS Redirects in CloudFront

Google Search Console flagged our site with "HTTPS not evaluated" despite using HTTPS everywhere. The issue: HTTP requests weren't redirecting to HTTPS—they served content directly, creating duplicate content and hurting SEO.

CloudFront's default "HTTP and HTTPS" viewer protocol policy allows both protocols without redirecting. For SEO, security, and AdSense approval, all HTTP traffic must redirect to HTTPS with a 301 status.

The Problem

Testing revealed the issue:

# HTTPS works fine
curl -I https://example.com/page.html
# Returns: HTTP/2 200 ✅

# HTTP doesn't redirect (PROBLEM)
curl -I http://example.com/page.html
# Returns: HTTP/1.1 200 ❌
# Should return: HTTP/1.1 301 Moved Permanently

This creates duplicate content (same page accessible via HTTP and HTTPS), signals low quality to search engines, and blocks AdSense approval.

The Solution

CloudFront's viewer protocol policy controls how it handles HTTP vs HTTPS requests. Changing from "allow-all" to "redirect-to-https" forces all HTTP traffic to HTTPS with proper 301 redirects.

Implementation

Via AWS Console:

Navigate to CloudFront distribution
Edit default behavior (*)
Change "Viewer Protocol Policy" to "Redirect HTTP to HTTPS"
Save and wait 5-10 minutes for deployment

Via AWS CLI:

# Get current config and ETag
aws cloudfront get-distribution-config \
    --id YOUR_DISTRIBUTION_ID \
    --output json > /tmp/cf-config.json

ETAG=$(aws cloudfront get-distribution-config \
    --id YOUR_DISTRIBUTION_ID \
    --query 'ETag' --output text)

# Update viewer protocol policy
jq '.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy = "redirect-to-https"' \
    /tmp/cf-config.json > /tmp/cf-config-updated.json

# Apply changes
aws cloudfront update-distribution \
    --id YOUR_DISTRIBUTION_ID \
    --if-match "$ETAG" \
    --distribution-config file:///tmp/cf-config-updated.json

Verification

After deployment (5-15 minutes), test the redirect:

curl -I http://example.com/
# Should return: HTTP/1.1 301 Moved Permanently
# Location: https://example.com/

The Outcome

HTTP requests now properly redirect to HTTPS with 301 status codes. This eliminates duplicate content, improves SEO signals, and meets AdSense security requirements. Google Search Console updated within 1-2 weeks after requesting re-crawl of affected URLs.

The fix is simple but critical: CloudFront's redirect policy ensures users and search engines always access the secure version of your site.