All fix guides

How to redirect HTTP to HTTPS

Force every visitor onto the encrypted version of your site with a permanent redirect.

What it is

A server rule that sends any http:// request to the matching https:// URL with a 301 (permanent) redirect.

Why it matters

If http:// is served without redirecting, a visitor's first request — and any bookmarked or typed URL — can be intercepted or tampered with before encryption kicks in.

How to fix it

  1. 1On the server, add a redirect: Nginx `return 301 https://$host$request_uri;`, Apache with `Redirect permanent`, or your framework/host's force-HTTPS setting.
  2. 2On a CDN like Cloudflare, enable 'Always Use HTTPS'.
  3. 3Use a 301 (permanent), not 302, so browsers and search engines cache it.
  4. 4Then add HSTS so browsers skip the insecure request entirely on return visits (see the HSTS guide).
  5. 5Re-scan to confirm http:// now redirects to https://.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy