Force HTTPS on project URL

I noticed that if you change the https part of the project URL to http it uses HTTP, whereas most websites Google, etc… redirect you to the HTTPS version of their website. How can I make my Glitch project force HTTPS???

See the following example project which implements this:!/large-patch


Thanks, but would I place this code before any other app.gets?

Copy the checkHttps function code into your js file, and use app.use(checkHttps) before your app.gets. See


Ok, thanks! I shall update my code with that now,

Is it still working as of now? I’m getting < projectname > redirected you too many times…?

Hmm so it does work for glitch subdomains. But it won’t work on my custom domain weird, but it’s fine, just the red “Not secure” annoys me

Edit to make things more clear: Adding https:// works, but I’m trying to force it

1 Like

That seems incorrect. For example is a custom domain registered via the Custom Domain integration in Glitch and configured at my registrar, https worked completely transparently - I didn’t do anything special.

What’s your domain and project?

1 Like

It’s doing some weird thing where it does not show it is connected to a Domain, but my site is, custom domain:, as you can see the latter did not force https?
I used to use fly, but to test glitch’s new custom domain i deleted my fly project. So now (I think…?) it’s using glitch’s custom domains, if join URL needed dm me


Uhhhh I just went to anddd

Edit: Adding https:// works, but I’m trying to force it

Ah yes, I misinterpreted what you were trying to do; I didn’t read the backscroll carefully enough, sorry!

Yes, you are correct, that workaround won’t handle custom domains due to the way X-Forwarded-Proto gets filled in those situations. I don’t know of a way to handle it with custom domains off-hand.


Haha, yea, there is a middleware in though, is there a way I can un-intergrate glitch’s Custom domains and then I can do it using, and use the Force https middleware from them? (Same project as above)

There seems to be no way to un-intergrate it tho? And I can’t make a new fly website.

Was going to insert image here, but it won’t stop loading :confused:

Fixed after a few Hard refreshes.

So what I mean is you can’t remove domains or is glitch glitched (ha pun)

This is getting irrelevant to the title, i’ll make a new post thing.

1 Like

Hey, can you please explain how you force HTTPS through Fly? I’d like to do that too on my custom domain.

Unfortunately I found this topic too late and connected my domain name already. @cori could you please unlink domain from this project: Thanks in advance.

Is there any solution to this now? I was testing code on a custom domain and nothing I did seemed to be able to get a forced-https result

It’s very simple, just add this to every HTML file:

if (location.protocol !== 'https:') {

or include this in your JS:

if (location.protocol !== 'https:') {

This wouldn’t work server-side, I need a way to make the server itself only serve https requests, not http

i lack the understanding to know what server side means (ok i probably know but i cant find a solution). would this work?
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

from here.

this would just mean that the client side upgrades its own requests, I want the server to not serve HTTP requests at all

If you are using a custom domain on Fly, it may be worth changing your domain’s DNS to use Cloudflare, where you can select to have your site only serve on HTTPS.
There are some limitations with using their free DNS, but I use it for all my websites and it works fine :slight_smile:

Hope this helps!