People with admin permissions for a repository can enforce HTTPS for a GitHub Pages site.
All GitHub Pages sites, including sites that are correctly configured with a custom domain, support HTTPS and HTTPS enforcement. For more information about custom domains, see "About custom domains and GitHub Pages" and "Troubleshooting custom domains and GitHub Pages."
GitHub Pages sites shouldn't be used for sensitive transactions like sending passwords or credit card numbers.
Warning: GitHub Pages sites are publicly available on the internet, even if the repository for the site is private. If you have sensitive data in your site's repository, you may want to remove the data before publishing. For more information, see "About repositories."
Note: RFC3280 states that the maximum length of the common name should be 64 characters. Therefore, the entire domain name of your GitHub Pages site must be less than 64 characters long for a certificate to be successfully created.
- On GitHub, navigate to your site's repository.
- Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
- In the "Code and automation" section of the sidebar, click Pages.
- Under "GitHub Pages," select Enforce HTTPS.
When you set or change your custom domain in the Pages settings, an automatic DNS check begins. This check determines if your DNS settings are configured to allow GitHub to obtain a certificate automatically. If the check is successful, GitHub queues a job to request a TLS certificate from Let's Encrypt. On receiving a valid certificate, GitHub automatically uploads it to the servers that handle TLS termination for Pages. When this process completes successfully, a check mark is displayed beside your custom domain name.
Please note that your GitHub Pages site must be publicly available for a Let's Encrypt certificate to be issued. Once the certificate has been issued you may revert the site to private.
The process may take some time. If the process has not completed several minutes after you clicked Save, try clicking Remove next to your custom domain name. Retype the domain name and click Save again. This will cancel and restart the provisioning process.
To remove your site's mixed content, make sure all your assets are served over HTTPS by changing
https:// in your site's HTML.
Assets are commonly found in the following locations:
- If your site uses Jekyll, your HTML files will probably be found in the _layouts folder.
- CSS is usually found in the
<head>section of your HTML file.
<head>section or just before the closing
- Images are often found in the
Tip: If you can't find your assets in your site's source files, try searching your site's source files for
http in your text editor or on GitHub.