16 days ago
Before the major outage on May 19, 2026, visiting my custom
domain automatically loaded via HTTPS without any browser warning.
Since the service was restored after the outage, when a user
types the domain directly in the browser address bar (mobile
or desktop), the browser attempts HTTP first and shows a
"Not secure" warning before redirecting to HTTPS.
This did not happen before the May 19 outage. Railway's edge
was handling HTTPS enforcement automatically for custom domains.
What we've tried:
- Added HTTP→HTTPS redirect middleware in Express (301)
- Added HSTS header (max-age=31536000; includeSubDomains)
- Verified SSL certificate is active and valid in Railway settings
- Redeployed multiple times since the outage
- curl confirms the 301 redirect works from Express side
The redirect works technically but the browser still shows
the "Not secure" warning during the HTTP→HTTPS redirect,
which didn't happen before the outage.
Service: Node.js + Express
Plan: Hobby
6 Replies
Status changed to Open Railway • 16 days ago
16 days ago
Have you tried accessing the site from an incognito window? (I'd also try removing the domain from Railway and adding it back after ~10-15 mins and update DNS records if necessary).
16 days ago
Yes, tested in incognito window — same behavior. The issue is not browser cache related.
Regarding removing and re-adding the domain: before trying that, can you confirm if Railway's edge automatically enforced HTTP→HTTPS redirects for custom domains before the May 19 outage?
We want to understand if this is expected behavior or a regression from the incident.
alvarodevicente
Yes, tested in incognito window — same behavior. The issue is not browser cache related. Regarding removing and re-adding the domain: before trying that, can you confirm if Railway's edge automatically enforced HTTP→HTTPS redirects for custom domains before the May 19 outage? We want to understand if this is expected behavior or a regression from the incident.
16 days ago
HTTPS is only enforced if the domain has the correct DNS records (as that's the only condition where Railway would issue a certificate).
16 days ago
The domain is tupala.es
SSL certificate is valid (Let's Encrypt, expires August 2026).
HTTPS works perfectly. The issue is only that HTTP requests
are not redirected to HTTPS at Railway's edge level.
16 days ago
Update: I've been able to reproduce this more precisely.
The "Not Secure" warning only appears when a user types "tupala.es" directly in the address bar without the https:// prefix.
The browser attempts http://tupala.es first, and the warning shows during that initial HTTP connection — before the 301 redirect kicks in at the Express level.
Users arriving from Google or any https:// link are not affected. The issue is specifically the cold first load via bare domain.
We already tried removing and re-adding the custom domain in Railway's Networking settings as suggested. Railway assigned a new subdomain and we updated the DNS records accordingly — but the behavior persists.
Is there any way to enforce HTTP→HTTPS at the edge level for custom domains on the Hobby plan?