SSL & HTTPS
HTTP → HTTPS Redirect
Visitors who type your URL without https:// get the insecure version unless you force a redirect.
high severityWhat is this?
Having HTTPS doesn't mean all traffic is secure by default. If someone types yourdomain.com in their browser (without the https://), their browser first tries plain HTTP. Without a redirect, they'll see your site over an insecure connection with "Not Secure" in the address bar.
The fix is a 301 redirect: when anyone visits http://yourdomain.com, immediately redirect them to https://yourdomain.com.
Why it matters
- Users see "Not Secure" in Chrome. Any form submission or login over HTTP is unsafe.
- Attackers can intercept requests on public WiFi - cafés, airports, hotels - before the redirect happens.
- Links shared without https:// land on the insecure version.
- Google prefers HTTPS and may index the HTTP version if there's no redirect.
How to fix it
How you fix this depends on your hosting platform:
Providers & tools
| Platform | How to enable |
|---|---|
| Vercel | Enabled by default - no action needed |
| Netlify | Site settings → Domain management → HTTPS → Force HTTPS |
| Cloudflare | SSL/TLS → Edge Certificates → Always Use HTTPS → On |
| Railway | Add redirect rule or handle in app code |
| Nginx | server {
listen 80;
return 301 https://$host$request_uri;
} |
| Express | app.use((req, res, next) => {
if (!req.secure) {
return res.redirect('https://' + req.headers.host + req.url);
}
next();
}); |
Check if your domain has this issue