SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Encryption

HTTPS Redirect

Even if your site has a valid SSL certificate, visitors who type your domain without 'https://' may land on the insecure HTTP version. An HTTPS redirect ensures every visitor is automatically moved to the encrypted version before any data is exchanged.

What SecurityStatus Checks

  • Whether HTTP requests are redirected to HTTPS automatically
  • Redirect type — 301 (permanent) vs 302 (temporary) vs no redirect
  • HSTS header presence and max-age value
  • Whether the redirect happens server-side before any page content is served
  • WWW and non-WWW redirect consistency

Why This Matters

Without an HTTPS redirect, users who visit the HTTP version of your site have their connection unencrypted. Attackers on the same network can intercept this traffic, inject content, or steal session cookies before the redirect happens. A 301 redirect also consolidates SEO value to a single canonical URL.

How to Fix It

  1. 1

    Set up a 301 redirect in your web server

    For nginx, add to your HTTP server block: `return 301 https://$host$request_uri;`. For Apache, add to .htaccess: `RewriteEngine On` then `RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]`.

  2. 2

    Enable HTTPS redirect in Cloudflare

    If using Cloudflare, go to SSL/TLS > Edge Certificates and enable 'Always Use HTTPS'. This redirects at the CDN edge before traffic reaches your server.

  3. 3

    Add the HSTS header

    After confirming HTTPS works perfectly, add: `Strict-Transport-Security: max-age=31536000; includeSubDomains`. This tells browsers to always use HTTPS for your domain for the next year, eliminating the initial HTTP hop.

  4. 4

    Verify the redirect chain

    Use curl to check: `curl -I http://yourdomain.com`. You should see a 301 response with a Location header pointing to https://. Avoid redirect chains longer than one hop.

Frequently Asked Questions

What is the difference between a 301 and 302 redirect?
A 301 is permanent — browsers and search engines cache it and update their records. A 302 is temporary — browsers will re-check every time. Always use 301 for HTTP to HTTPS redirects.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a header that tells browsers to only connect to your domain over HTTPS for a set time period. Once a browser sees the HSTS header, it won't even attempt an HTTP connection.
Can an HTTPS redirect break my site?
It can if you have mixed content — images, scripts, or stylesheets loaded over HTTP. Audit your pages for hard-coded HTTP links and update them to HTTPS or relative paths before enabling the redirect.
Should I submit my domain to the HSTS preload list?
Only if you are 100% committed to HTTPS and have tested thoroughly. Preloading is very hard to undo and affects all subdomains. Start with the HSTS header first and preload later.

Related Guides

critical SSL/TLS Certificate Read Guide critical Security Headers Read Guide high Certificate Transparency Read Guide

Check Your Domain Now

Run all 38 security checks including HTTPS Redirect and get your domain's security grade in under 2 minutes.

Scan Your Domain Free