diff --git a/MPF.md b/MPF.md
index f035f851e4..e19c30253c 100644
--- a/MPF.md
+++ b/MPF.md
@@ -313,6 +313,7 @@ By default Mission Portal listens for HTTP requests on port 80, redirecting to H
 
 * Added in CFEngine 3.6.0
 * Class renamed from `cfe_cfengine_enterprise_enable_plain_http` to `cfe_enterprise_disable_http_redirect_to_https` in CFEngine 3.23.0, 3.21.3
+* Redirection responsibility moved from Apache to PHP in CFEngine 3.27.0
 
 ### Disable cf\_promises\_validated check
 
diff --git a/cfe_internal/enterprise/mission_portal.cf b/cfe_internal/enterprise/mission_portal.cf
index b0950aaeb6..ad0b3b44ce 100644
--- a/cfe_internal/enterprise/mission_portal.cf
+++ b/cfe_internal/enterprise/mission_portal.cf
@@ -74,6 +74,21 @@ classes:
           "max_spare_servers":"${php_fpm_www_pool_max_spare_servers}"
          }');
 
+  files:
+      # http -> https redirection moved from Apache to PHP
+      # Here the flag files are managed so that PHP will know what to do
+    cfe_enterprise_disable_http_redirect_to_https::
+      "/opt/cfengine/flags/."
+        perms => mog("750", "root", "cfapache"),
+        create => "true";
+      "/opt/cfengine/flags/http_redirect_to_https.disabled" -> { "ENT-11481" }
+        perms => mog("660", "root", "cfapache"),
+        create => "true";
+
+    !cfe_enterprise_disable_http_redirect_to_https::
+      "/opt/cfengine/flags/http_redirect_to_https.disabled" -> { "ENT-11481" }
+        delete => tidy;
+
   reports:
     DEBUG::
       "Using variable default:def.php_fpm_www_pool_max_children: ${default:def.php_fpm_www_pool_max_children} instead of built-in default"
diff --git a/cfe_internal/enterprise/templates/httpd.conf.mustache b/cfe_internal/enterprise/templates/httpd.conf.mustache
index d4453eb5d7..6076d8635f 100644
--- a/cfe_internal/enterprise/templates/httpd.conf.mustache
+++ b/cfe_internal/enterprise/templates/httpd.conf.mustache
@@ -280,12 +280,6 @@ AddType    application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_v
   <IfModule rewrite_module>
     RewriteEngine On
 
-    {{^classes.cfe_enterprise_disable_http_redirect_to_https}}
-    # Force https with redirection
-    RewriteCond %{HTTPS} off
-    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
-    {{/classes.cfe_enterprise_disable_http_redirect_to_https}}
-
     {{#classes.mission_portal_index_php_redirect_enabled}}
     # redirect from `index.php/path` to `/path`
     RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC]  #do not apply redirect to internal APIs for backward compatibility