Why is custom domain available through plain HTTP

Hello :slight_smile:

We have setup a custom domain and it works fine. The only issue that we have is that it is available through HTTP (as well as HTTPS) which can pose a security threat to us because passwords are transmitted via plain text. I can not find any option to setup SSL redirect and I couldn’t find anything related to my question on the forum. I’ll appreciate it if anyone could shed light on this.

Did you provide the right cert?

Okta serves pages on your custom domain over HTTPS. To set up this feature, you need to provide a TLS certificate that is valid for your domain.

https://developer.okta.com/docs/guides/custom-url-domain/overview/

@warren Thank you warren for your response. Yes HTTPS works. My question is that why Okta is serving on HTTP as well, and is not performing an SSL redirect?

Can you provide an example of where Okta is serving over HTTP?

@mraible So we have a custom domain set up in Okta, which is working, say foo.bar.com. When I open http://foo.bar.com it doesn’t redirect me to https://foo.bar.com. What I expected was to be redirected to https://foo.bar.com. Because http://foo.bar.com is insecure.

AFAIK, that’s not Okta doing that, it’s your DNS provider. I’ve only ever used Cloudflare for a custom domain and it worked well for me. Create a custom domain with Cloudflare | Okta Developer