# HTTP to HTTPS redirect > Redirect HTTP traffic to HTTPS using the default Gateway's listeners. Redirecting HTTP to HTTPS is one of the first things you'll want to set up for a production domain. The default Gateway listens on both port 80 (HTTP) and port 443 (HTTPS), so you can set up redirects by attaching routes to specific listeners using `sectionName`. ## Single domain ### Add the redirect route Create an HTTPRoute that matches the HTTP listener and redirects every request to HTTPS: ```yaml title="redirect.yaml" apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: http-to-https spec: parentRefs: - name: default sectionName: http hostnames: - app.example.com rules: - filters: - type: RequestRedirect requestRedirect: scheme: https statusCode: 301 ``` The `sectionName: http` ensures this route only attaches to the HTTP listener. The redirect uses a 301 (permanent) status code so browsers cache it. ### Add your application route on HTTPS ```yaml title="app-route.yaml" apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: app-route spec: parentRefs: - name: default sectionName: https hostnames: - app.example.com rules: - backendRefs: - kind: Backend name: app-backend port: 8080 ``` Backends define the upstream services your routes forward to — see [Routing traffic](/docs/docs/guides/routing-traffic.md) for setup details. Apply everything: ```bash title="terminal" apoxy apply -f redirect.yaml -f app-route.yaml ``` ### Verify ```bash title="terminal" curl -I http://app.example.com/ ``` You should see: ``` HTTP/1.1 301 Moved Permanently Location: https://app.example.com/ ``` ## Wildcard subdomains When you have many subdomains — `api.example.com`, `dashboard.example.com`, `docs.example.com` — you don't want a separate redirect for each one. Use a wildcard hostname instead. ### Single redirect covering all subdomains ```yaml title="wildcard-redirect.yaml" apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: wildcard-http-to-https spec: parentRefs: - name: default sectionName: http hostnames: - "*.example.com" rules: - filters: - type: RequestRedirect requestRedirect: scheme: https statusCode: 301 ``` One route, one rule — every subdomain that hits port 80 gets redirected to HTTPS. ### Per-subdomain application routes You can attach specific routes to the HTTPS listener by hostname: ```yaml title="per-subdomain-routes.yaml" apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: api-route spec: parentRefs: - name: default sectionName: https hostnames: - api.example.com rules: - backendRefs: - kind: Backend name: api-backend port: 8080 --- apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: dashboard-route spec: parentRefs: - name: default sectionName: https hostnames: - dashboard.example.com rules: - backendRefs: - kind: Backend name: dashboard-backend port: 3000 ``` Each route matches a specific subdomain even though the default Gateway's HTTPS listener accepts all hostnames. The redirect route handles the HTTP→HTTPS bounce for all of them. ## Key points - Use `sectionName` in `parentRefs` to target a specific listener. Without it, the route attaches to every compatible listener on the Gateway. - Use 301 for permanent redirects (browsers cache them) or 302 if you might revert later. - Wildcard hostnames in routes use `*.domain.com` syntax — they match one subdomain level. - Keep the redirect route and application routes as separate resources. This makes it easy to disable the redirect without touching application routing.