transport-http-not-redirected
Plain HTTP not redirected to HTTPS
Your site has HTTPS, but visitors who type the address without "https://" still land on the unsecured version. The fix is a one-line redirect, and it closes a real and frequently-exploited gap.
What this means in plain English
Your site is reachable over HTTPS — the version with the lock icon
and encryption — but it’s also still reachable over plain HTTP, the
older unencrypted version. When a visitor types
your-domain.example (without https://) into the address bar,
their browser sends an unencrypted HTTP request first, and your
server happily answers it.
Every modern site closes this by sending a one-line redirect that says “go to the HTTPS version instead”. Without that redirect, the plain version stays available, and an attacker on the network can keep visitors on it.
Why it matters to your business
Three concrete risks:
-
Session hijacking on the first visit. A returning customer types your domain. The browser tries HTTP first. An attacker on the network catches the unencrypted request and serves a fake page. The visitor never realises they’re not talking to your server.
-
SSL stripping. A more sophisticated attacker on the network secretly relays HTTPS to your server but serves the visitor an unencrypted version. Without HSTS, the only signal the visitor gets is “no padlock” — and most people don’t notice.
-
HSTS can’t kick in. HSTS (the next layer of defence — see HSTS article) only takes effect after the visitor has at least one successful HTTPS connection. If they keep landing on plain HTTP first, HSTS never gets to do its job.
The fix is essentially free and removes all three risks.
How to fix it
Whoever runs your web server adds a one-line rule that says “for anything that arrives on plain HTTP, send back a redirect to the HTTPS version”. The redirect should be type 301 (permanent), not 302 — browsers and search engines cache 301s, which is what you want.
Common server snippets:
nginx:
server {
listen 80;
server_name your-domain.example www.your-domain.example;
return 301 https://$host$request_uri;
}
Caddy does this automatically once HTTPS is configured — no extra block needed.
Apache in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Cloudflare has a one-toggle setting in its dashboard: SSL/TLS → Edge Certificates → Always Use HTTPS.
After deploying, you can verify in a terminal with:
curl -I http://your-domain.example/
You should see HTTP/1.1 301 Moved Permanently and a Location:
header pointing at the https:// version. Make sure it works for the
main domain, the www variant, and any deep page (/some/page).
Once the redirect has been live and stable for a week or two, enable HSTS as the next layer — that locks browsers into HTTPS even before their first visit.
Further reading
- Mozilla SSL Configuration Generator — produces correct server configuration including the redirect.
- OWASP Transport Layer Security Cheat Sheet
- Chrome’s HTTPS-upgrade rollout (2024)