Securing your GitHub Pages site with HTTPS

HTTPS adds a layer of encryption that prevents others from snooping on or tampering with traffic to your site. You can enforce HTTPS for your GitHub Pages site to transparently redirect all HTTP requests to HTTPS.

GitHub Pages is available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see "GitHub's products."

In this article

People with admin permissions for a repository can enforce HTTPS for a GitHub Pages site.

About HTTPS and GitHub Pages

All GitHub Pages sites, including sites that are correctly configured with a custom domain, support HTTPS and HTTPS enforcement. For more information about custom domains, see "About custom domains and GitHub Pages" and "Troubleshooting custom domains and GitHub Pages."

GitHub Pages sites shouldn't be used for sensitive transactions like sending passwords or credit card numbers.

Warning: GitHub Pages sites are publicly available on the internet by default, even if the repository for the site is private or internal. If your project site is published from a private or internal repository owned by an organization using GitHub Enterprise Cloud, you can manage access control for the site. Otherwise, if you have sensitive data in your site's repository, you may want to remove the data before publishing. For more information, see "About repository visibility" and "Changing the visibility of your GitHub Pages site."

Enforcing HTTPS for your GitHub Pages site

  1. On GitHub, navigate to your site's repository.

  2. Under your repository name, click Settings. Repository settings button

  3. In the left sidebar, click Pages. Page tab in the left-hand sidebar

  4. Under "GitHub Pages," select Enforce HTTPS. Enforce HTTPS checkbox

Resolving problems with mixed content

If you enable HTTPS for your GitHub Pages site but your site's HTML still references images, CSS, or JavaScript over HTTP, then your site is serving mixed content. Serving mixed content may make your site less secure and cause trouble loading assets.

To remove your site's mixed content, make sure all your assets are served over HTTPS by changing http:// to https:// in your site's HTML.

Assets are commonly found in the following locations:

  • If your site uses Jekyll, your HTML files will probably be found in the _layouts folder.
  • CSS is usually found in the <head> section of your HTML file.
  • JavaScript is usually found in the <head> section or just before the closing </body> tag.
  • Images are often found in the <body> section.

Tip: If you can't find your assets in your site's source files, try searching your site's source files for http in your text editor or on GitHub.

Examples of assets referenced in an HTML file

Asset typeHTTPHTTPS
CSS<link rel="stylesheet" href="http://example.com/css/main.css"><link rel="stylesheet" href="https://example.com/css/main.css">
JavaScript<script type="text/javascript" src="http://example.com/js/main.js"></script><script type="text/javascript" src="https://example.com/js/main.js"></script>
Image<A HREF="http://www.somesite.com"><IMG SRC="http://www.example.com/logo.jpg" alt="Logo"></a><A HREF="https://www.somesite.com"><IMG SRC="https://www.example.com/logo.jpg" alt="Logo"></a>

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.