diff --git a/core/includes/common.inc b/core/includes/common.inc
index bb1b8a4..87edb2b 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2158,7 +2158,7 @@ function url($path = NULL, array $options = array()) {
     if ($options['query']) {
       $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']);
     }
-    if (isset($options['https']) && variable_get('https', FALSE)) {
+    if (isset($options['https']) && config('system.site')->get('https')) {
       if ($options['https'] === TRUE) {
         $path = str_replace('http://', 'https://', $path);
       }
@@ -2174,7 +2174,7 @@ function url($path = NULL, array $options = array()) {
 
   // The base_url might be rewritten from the language rewrite in domain mode.
   if (!isset($options['base_url'])) {
-    if (isset($options['https']) && variable_get('https', FALSE)) {
+    if (isset($options['https']) && config('system.site')->get('https')) {
       if ($options['https'] === TRUE) {
         $options['base_url'] = $base_secure_url;
         $options['absolute'] = TRUE;
diff --git a/core/includes/form.inc b/core/includes/form.inc
index 5f580fb..d164093 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -1781,7 +1781,7 @@ function form_builder($form_id, &$element, &$form_state) {
 
   // Special handling if we're on the top level form element.
   if (isset($element['#type']) && $element['#type'] == 'form') {
-    if (!empty($element['#https']) && variable_get('https', FALSE) &&
+    if (!empty($element['#https']) && config('system.site')->get('https') &&
         !url_is_external($element['#action'])) {
       global $base_root;
 
diff --git a/core/includes/session.inc b/core/includes/session.inc
index b9b8fbc..83b26d2 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -191,14 +191,14 @@ function _drupal_session_write($sid, $value) {
         // The "secure pages" setting allows a site to simultaneously use both
         // secure and insecure session cookies. If enabled and both cookies are
         // presented then use both keys.
-        if (variable_get('https', FALSE)) {
+        if (config('system.site')->get('https')) {
           $insecure_session_name = substr(session_name(), 1);
           if (isset($_COOKIE[$insecure_session_name])) {
             $key['sid'] = $_COOKIE[$insecure_session_name];
           }
         }
       }
-      elseif (variable_get('https', FALSE)) {
+      elseif (config('system.site')->get('https')) {
         unset($key['ssid']);
       }
 
@@ -242,7 +242,7 @@ function drupal_session_initialize() {
 
   // We use !empty() in the following check to ensure that blank session IDs
   // are not valid.
-  if (!empty($_COOKIE[session_name()]) || ($is_https && variable_get('https', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
+  if (!empty($_COOKIE[session_name()]) || ($is_https && config('system.site')->get('https') && !empty($_COOKIE[substr(session_name(), 1)]))) {
     // If a session cookie exists, initialize the session. Otherwise the
     // session is only started on demand in drupal_session_commit(), making
     // anonymous users not use a session cookie unless something is stored in
@@ -263,7 +263,7 @@ function drupal_session_initialize() {
     // anonymous users than are generated in drupal_session_regenerate() when
     // a user becomes authenticated.
     session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
-    if ($is_https && variable_get('https', FALSE)) {
+    if ($is_https && config('system.site')->get('https')) {
       $insecure_session_name = substr(session_name(), 1);
       $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
       $_COOKIE[$insecure_session_name] = $session_id;
@@ -318,7 +318,7 @@ function drupal_session_commit() {
     // started.
     if (!drupal_session_started()) {
       drupal_session_start();
-      if ($is_https && variable_get('https', FALSE)) {
+      if ($is_https && config('system.site')->get('https')) {
         $insecure_session_name = substr(session_name(), 1);
         $params = session_get_cookie_params();
         $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
@@ -354,7 +354,7 @@ function drupal_session_regenerate() {
     return;
   }
 
-  if ($is_https && variable_get('https', FALSE)) {
+  if ($is_https && config('system.site')->get('https')) {
     $insecure_session_name = substr(session_name(), 1);
     if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
       $old_insecure_session_id = $_COOKIE[$insecure_session_name];
@@ -383,7 +383,7 @@ function drupal_session_regenerate() {
       $fields['ssid'] = session_id();
       // If the "secure pages" setting is enabled, use the newly-created
       // insecure session identifier as the regenerated sid.
-      if (variable_get('https', FALSE)) {
+      if (config('system.site')->get('https')) {
         $fields['sid'] = $session_id;
       }
     }
@@ -443,7 +443,7 @@ function _drupal_session_destroy($sid) {
   if ($is_https) {
     _drupal_session_delete_cookie(substr(session_name(), 1), FALSE);
   }
-  elseif (variable_get('https', FALSE)) {
+  elseif (config('system.site')->get('https')) {
     _drupal_session_delete_cookie('S' . session_name(), TRUE);
   }
 }
diff --git a/core/modules/language/language.negotiation.inc b/core/modules/language/language.negotiation.inc
index fa6a517..d9239f5 100644
--- a/core/modules/language/language.negotiation.inc
+++ b/core/modules/language/language.negotiation.inc
@@ -479,7 +479,7 @@ function language_url_rewrite_url(&$path, &$options) {
             $options['base_url'] .= ':' . $port;
           }
 
-          if (isset($options['https']) && variable_get('https', FALSE)) {
+          if (isset($options['https']) && config('system.site')->get('https')) {
             if ($options['https'] === TRUE) {
               $options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
             }
diff --git a/core/modules/language/lib/Drupal/language/Tests/LanguageUILanguageNegotiationTest.php b/core/modules/language/lib/Drupal/language/Tests/LanguageUILanguageNegotiationTest.php
index f212a95..f0157f1 100644
--- a/core/modules/language/lib/Drupal/language/Tests/LanguageUILanguageNegotiationTest.php
+++ b/core/modules/language/lib/Drupal/language/Tests/LanguageUILanguageNegotiationTest.php
@@ -402,6 +402,7 @@ function testUrlLanguageFallback() {
    * Tests url() when separate domains are used for multiple languages.
    */
   function testLanguageDomain() {
+    $config = config('system.site');
     // Add the Italian language.
     $langcode = 'it';
     $language = new Language(array(
@@ -437,11 +438,11 @@ function testLanguageDomain() {
     $this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
 
     // Test HTTPS via options.
-    variable_set('https', TRUE);
+    $config->set('https', TRUE)->save();
     $italian_url = url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => ''));
     $correct_link = 'https://' . $link;
     $this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
-    variable_set('https', FALSE);
+    $config->set('https', FALSE)->save();
 
     // Test HTTPS via current URL scheme.
     $temp_https = $is_https;
diff --git a/core/modules/system/config/system.site.yml b/core/modules/system/config/system.site.yml
index 010dedf..cf59add 100644
--- a/core/modules/system/config/system.site.yml
+++ b/core/modules/system/config/system.site.yml
@@ -1,3 +1,4 @@
+https: '0'
 name: Drupal
 mail: ''
 slogan: ''
diff --git a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php
index f871b61..839dec9 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php
@@ -113,7 +113,7 @@ protected function testHttpsSession() {
     }
 
     // Enable secure pages.
-    variable_set('https', TRUE);
+    config('system.site')->set('https', TRUE)->save();
 
     $this->curlClose();
     // Start an anonymous session on the insecure site.
diff --git a/core/modules/system/lib/Drupal/system/Tests/Upgrade/SystemUpgradePathTest.php b/core/modules/system/lib/Drupal/system/Tests/Upgrade/SystemUpgradePathTest.php
index db95f06..2b720f9 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Upgrade/SystemUpgradePathTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Upgrade/SystemUpgradePathTest.php
@@ -73,6 +73,7 @@ public function testSystemVariableUpgrade() {
       'page.403' => '403',
       'page.404' => '404',
       'page.front' => 'node',
+      'https' => '0',
     );
 
     foreach ($expected_config as $file => $values) {
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 05459d0..5704a99 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -2102,6 +2102,15 @@ function system_update_8022() {
 }
 
 /**
+ * Moves https from variable to config
+ */
+function system_update_8023() {
+  update_variables_to_config('system.site', array(
+    'https' => 'https',
+  ));
+}
+
+/**
  * @} End of "defgroup updates-7.x-to-8.x".
  * The next series of updates should start at 9000.
  */