Why your site needs an HTTP→HTTPS redirect
Even with HTTPS available, your site needs to actively redirect HTTP requests to HTTPS. Otherwise users who reach the HTTP version stay on an unencrypted, interceptable connection.
What it is
When someone types yourdomain.com without https://, the browser tries HTTP first. If your server answers on port 80 with content instead of a redirect, that page load is unencrypted.
The fix is a permanent (301) redirect from every HTTP URL to its HTTPS equivalent on the same domain.
Why it matters
Unencrypted traffic can be read or modified by anyone on the network path — public Wi-Fi, a compromised router, an ISP. That includes form data and cookies without the Secure flag.
A redirect that points to the wrong domain, or a chain of several hops, adds latency and can itself be a sign of misconfiguration or hijacking.
How to fix it
Answer on port 80 with a single 301 to HTTPS.
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}A redirect handles the first hop; HSTS then tells the browser to skip HTTP entirely on future visits. Use both together.
Redirect straight from HTTP to the canonical HTTPS URL in one hop rather than bouncing through www/non-www and trailing-slash variants.
FAQ
Isn't having an SSL certificate enough?
No. A certificate enables HTTPS, but without a redirect users can still load the HTTP version. You need both.
301 or 302 redirect?
Use 301 (permanent). It's cacheable and signals to browsers and search engines that HTTPS is the canonical version.
Is your app affected?
AppSafe checks for this and dozens of other issues in one free scan.
Scan my app freeRelated guides
HTTP Strict Transport Security (HSTS) explained
Force every connection to use HTTPS — even the first one.
Secure, HttpOnly, and SameSite cookie flags
Three flags that keep session cookies from being stolen.
Content-Security-Policy (CSP): what it is and how to add one
The header that stops injected scripts from running.