Setting Up Drupal to Use SSL¶
Use this page for setting up drupal to use ssl. Confirm the certificate is available first, then update the application or DNS settings that control HTTPS behavior.
TL;DR
Confirm the certificate works, enable cPanel Force HTTPS Redirect, then
use Drupal admin or file edits only if the site still needs application-level
cleanup. Clear Drupal caches and test the site afterward.
Before You Start¶
- Open
https://example.comin a browser and confirm the SSL certificate loads without a browser warning. - Make a backup of the site files before editing
settings.phpor.htaccess. - Keep access to cPanel File Manager, SSH, SFTP, or another file editor.
Need help?
If you are not comfortable editing Drupal files, contact Fused before making changes.
Option 1: Use cPanel Force HTTPS Redirect¶
Start here before editing Drupal files directly.
- Sign in to the Fused client area.
- Select Services.
- Select the green Active status next to the relevant hosting account.
- Select Login to cPanel.
- Open Domains.
- Turn on Force HTTPS Redirect for the Drupal domain.
- Visit
http://example.comand confirm it redirects tohttps://example.com.
Option 2: Use Drupal Admin¶
Drupal core does not provide the same universal SSL switch in every version. Some sites expose HTTPS controls through installed modules, distribution settings, or hosting integration.
- Sign in to Drupal over HTTPS at
https://example.com/user/login. - Go to Configuration.
- Check for SSL, HTTPS, redirect, base URL, or security settings added by installed modules.
- If a setting exists to force HTTPS, enable it and save the configuration.
- Clear Drupal's caches from the admin interface.
- Test the public site and admin area in a private browser window.
If there is no HTTPS setting
That is normal for many Drupal installs. Use cPanel's Force HTTPS Redirect or the file-based method below.
Option 3: Edit Drupal Files¶
Use this path when cPanel and the admin interfaces do not expose the setting you need.
Drupal 7¶
- Open
sites/default/settings.php. - Look for a
$base_urlsetting. - If
$base_urlis set to anhttp://address, update it tohttps://.
$base_url = 'https://example.com';
- Save the file.
- Clear Drupal's caches.
- Visit the site over
https://and click through a few pages to confirm links, images, and stylesheets load correctly.
If $base_url is not set
Many Drupal 7 sites do not need $base_url defined. If it is commented out or missing, do not add it unless the site specifically requires it.
Drupal 8, 9, and 10¶
Drupal 8 and newer usually detect the current request scheme, so most sites do not need a base URL setting changed in settings.php.
- Confirm
https://example.comloads correctly. - Add a server-level redirect from HTTP to HTTPS.
- Clear Drupal's caches.
- Test the public site and the Drupal admin area.
Force HTTP to HTTPS¶
If the site still loads over plain HTTP, add or confirm an HTTPS redirect. On many Drupal sites this can be done in the site's .htaccess file.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Place custom redirect rules carefully so they do not conflict with Drupal's existing rewrite rules.
Avoid redirect loops
If the site is behind a proxy, CDN, or load balancer, a simple HTTPS redirect may loop. Revert the change and contact Fused if the browser reports too many redirects.
Check for Mixed Content¶
After the site loads over HTTPS, check for images, scripts, stylesheets, or embeds still using http://.
- Update hardcoded internal links to use
https://. - Update theme or module settings that store full URLs.
- Check custom blocks, menus, and templates.
- Clear Drupal caches again after changes.
What to Check¶
https://example.comloads without a certificate warning.http://example.comredirects tohttps://example.com.- The Drupal admin area works over HTTPS.
- Images, CSS, JavaScript, and embedded assets load without mixed-content warnings.
- Forms and checkout pages still submit correctly.