HTTPCLIENT_ERRORNotable5xx CloudflareHIGH confidence

Must Use HTTPS

Q: How to fix HTTP 528 Must Use HTTPS?

Retry the request with HTTPS: 528 indicates the resource exists and is reachable — only the scheme was wrong. Switching to https:// resolves the error immediately.

Q: How to fix HTTP 528 Must Use HTTPS?

Enable Cloudflare 'Always Use HTTPS': With 'Always Use HTTPS' enabled Cloudflare issues a 301 redirect rather than a 528, which is friendlier for browser clients.

Production Risk

Medium — indicates a misconfigured client or application sending plain-HTTP requests; audit all outbound URLs.

What this means

528 Must Use HTTPS is returned by Cloudflare when a resource is only available over HTTPS but was requested over plain HTTP. The resource exists and is reachable — the request simply used the wrong scheme.

Why it happens

1Client sent an HTTP request to a resource that Cloudflare is configured to serve over HTTPS only.
2Cloudflare's 'Always Use HTTPS' or 'HTTP Strict Transport Security (HSTS)' setting is active on the zone.
3A hard-coded http:// URL in application code or a redirect loop missed the scheme upgrade.

How to reproduce

A Cloudflare-proxied resource is requested over HTTP when the zone enforces HTTPS.

trigger — this will error

curl -v http://example.com/api/data
# Response: HTTP/1.1 528

expected output

HTTP/1.1 528 Must Use HTTPS

Fix 1

Retry the request with HTTPS

WHEN When the client controls the URL and can switch schemes.

Retry the request with HTTPS

# Change http:// to https://
curl -v https://example.com/api/data

Why this works

528 indicates the resource exists and is reachable — only the scheme was wrong. Switching to https:// resolves the error immediately.

Fix 2

Enable Cloudflare 'Always Use HTTPS'

WHEN When configuring the Cloudflare zone to prevent HTTP requests reaching origin.

Enable Cloudflare 'Always Use HTTPS'

# In Cloudflare dashboard:
# SSL/TLS → Edge Certificates → Always Use HTTPS → ON
# This will 301-redirect HTTP requests to HTTPS before 528 is needed.

Why this works

With 'Always Use HTTPS' enabled Cloudflare issues a 301 redirect rather than a 528, which is friendlier for browser clients.

What not to do

✕ Disable HTTPS enforcement to stop seeing 528

This removes transport security from your origin and exposes users to man-in-the-middle attacks.

Version notes

Cloudflare

Cloudflare-specific; not defined in any IETF RFC. The 5xx range 520–599 is used by Cloudflare for CDN and edge-layer error reporting.

Sources

Official documentation ↗

Cloudflare Support — 5xx Errors

https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/ ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformHTTP Status Codes

Code528

Class5xx Cloudflare

SeverityCLIENT_ERROR

TierNotable

ConfidenceHIGH

← All HTTP errors