Skip to main content

HTTPS Redirect.

Security Headers & TLS Config

HTTP traffic should redirect to HTTPS — otherwise data is sent in plain text

What does this check test?

HTTPS redirect checks whether your site properly redirects all HTTP (port 80) requests to their HTTPS (port 443) equivalent using a `301 Moved Permanently` response. A correct redirect should preserve the full path and query string (e.g., `http://example.com/page?q=test` redirects to `https://example.com/page?q=test`). This ensures that users who type your URL without `https://` or follow old HTTP links are automatically upgraded to a secure connection.

Why does it matter?

HTTP traffic is sent in plaintext, meaning anyone on the same network (coffee shop Wi-Fi, corporate proxy, ISP) can read and modify the data in transit. This includes login credentials, session cookies, personal information, and page content. Without a redirect, users who access your site via HTTP remain on an insecure connection for their entire session. The redirect must use a 301 status code (not 302) so that browsers and search engines permanently update their references to the HTTPS version.

Who is affected?

Every website that supports HTTPS should redirect HTTP traffic — there is no valid reason to serve content over HTTP if HTTPS is available. This is especially critical for sites handling authentication, personal data, or financial transactions. Search engines also favor HTTPS, so the redirect has SEO benefits. Sites using HSTS still need the redirect, since HSTS only takes effect after the first HTTPS visit.

Where does this apply?

The redirect must be configured at the server level to handle requests on port 80. For Nginx, this is typically a separate `server` block. For cloud deployments, configure the redirect at the load balancer or CDN level. Some hosting platforms (Vercel, Netlify, Cloudflare Pages) handle this automatically.

How to fix it

Nginx, add a server block for port 80

nginx 
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Apache

apache 
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Node.js / Express

js 
app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https') {
    return res.redirect(301, 'https://' + req.hostname + req.url);
  }
  next();
});

Django

python 
SECURE_SSL_REDIRECT = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Flask

python 
from flask_talisman import Talisman
Talisman(app, force_https=True)

Next.js — most hosting platforms (Vercel, Netlify) handle HTTPS redirect automatically. For custom servers, use middleware

ts 
// middleware.ts
import { NextResponse } from 'next/server';
export function middleware(request) {
  if (request.headers.get('x-forwarded-proto') !== 'https') {
    return NextResponse.redirect(
      `https://${request.headers.get('host')}${request.nextUrl.pathname}`, 301
    );
  }
}

Spring Boot

java 
server.ssl.enabled=true
security.require-ssl=true
// Or in SecurityFilterChain:
http.requiresChannel().anyRequest().requiresSecure();
For AWS ALB, configure an HTTP listener rule to redirect to HTTPS. Test by running `curl -sI http://yoursite.com` and confirming you receive a `301` with a `Location: https://...` header. Ensure the redirect preserves the full request path.

References

AppVet checks HTTPS Redirect automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks