It’s a common requirement to enforce HTTPS for CMS back-office access. Umbraco makes this straightforward with a combination of a config setting and an IIS URL rewrite rule.
Step 1: Configure AppSettings
Add this to the appSettings section of web.config:
<add key="umbracoUseSSL" value="true" />This prevents back-office logins over plain HTTP, but it doesn’t automatically redirect users — they’ll just see an error if they try to access /umbraco over HTTP. That’s where the rewrite rule comes in.
Step 2: Add the URL Rewrite Rule
Add this rule to the system.webServer > rewrite > rules section of web.config:
<rule name="Redirect /umbraco to SSL" patternSyntax="ECMAScript" stopProcessing="true">
<match url="umbraco.*" />
<conditions>
<add input="{HTTPS}" pattern="Off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
</rule>This rule matches any URL beginning with umbraco, checks whether the request is coming over HTTP (HTTPS is Off), and issues a permanent redirect to the HTTPS equivalent — preserving the full path.
For additional Umbraco configuration options, refer to the official Umbraco documentation.