Why
The Netlify _redirects rule that is meant to canonicalise the old Netlify subdomain sends visitors to an http:// destination, silently downgrading any TLS connection and leaving traffic unencrypted for the remainder of the redirect chain.
Current state
static/_redirects contains:
http://gatsbytutorials.netlify.com/* http://www.gatsbytutorials.com/:splat 301!
The destination is http:// (not https://), so a visitor arriving via the old subdomain is redirected to a plaintext URL even though www.gatsbytutorials.com supports HTTPS.
Ideal state
- The redirect destination is
https://www.gatsbytutorials.com/:splat so visitors are forwarded directly to the TLS-protected origin.
- No rule in
static/_redirects targets an http:// destination when an https:// equivalent exists.
Out of scope
- Adding HSTS headers (tracked separately).
- Handling other legacy subdomains or non-www variants beyond the existing rule.
Starting points
static/_redirects — the single rule that needs its destination scheme changed.
- Netlify redirects docs — reference for rule syntax and testing.
QA plan
- Update the destination to
https://www.gatsbytutorials.com/:splat in static/_redirects.
- Deploy a preview build to Netlify.
- Open
http://gatsbytutorials.netlify.com/ in a browser (or use curl -I). Confirm the 301 Location header is https://www.gatsbytutorials.com/.
- Follow the redirect and confirm the browser lands on the HTTPS version of the site with no mixed-content warnings.
- Verify no other rules in
_redirects have an http:// destination.
Done when
Every redirect destination in static/_redirects uses https://, and a request to http://gatsbytutorials.netlify.com/* results in a 301 pointing to https://www.gatsbytutorials.com/:splat.
Why
The Netlify
_redirectsrule that is meant to canonicalise the old Netlify subdomain sends visitors to anhttp://destination, silently downgrading any TLS connection and leaving traffic unencrypted for the remainder of the redirect chain.Current state
static/_redirectscontains:The destination is
http://(nothttps://), so a visitor arriving via the old subdomain is redirected to a plaintext URL even thoughwww.gatsbytutorials.comsupports HTTPS.Ideal state
https://www.gatsbytutorials.com/:splatso visitors are forwarded directly to the TLS-protected origin.static/_redirectstargets anhttp://destination when anhttps://equivalent exists.Out of scope
Starting points
static/_redirects— the single rule that needs its destination scheme changed.QA plan
https://www.gatsbytutorials.com/:splatinstatic/_redirects.http://gatsbytutorials.netlify.com/in a browser (or usecurl -I). Confirm the 301 Location header ishttps://www.gatsbytutorials.com/._redirectshave anhttp://destination.Done when
Every redirect destination in
static/_redirectsuseshttps://, and a request tohttp://gatsbytutorials.netlify.com/*results in a 301 pointing tohttps://www.gatsbytutorials.com/:splat.