How to redirect HTTP to HTTPS
Force every visitor onto the encrypted version of your site with a permanent redirect.
What it is
A server rule that sends any http:// request to the matching https:// URL with a 301 (permanent) redirect.
Why it matters
If http:// is served without redirecting, a visitor's first request — and any bookmarked or typed URL — can be intercepted or tampered with before encryption kicks in.
How to fix it
- 1On the server, add a redirect: Nginx `return 301 https://$host$request_uri;`, Apache with `Redirect permanent`, or your framework/host's force-HTTPS setting.
- 2On a CDN like Cloudflare, enable 'Always Use HTTPS'.
- 3Use a 301 (permanent), not 302, so browsers and search engines cache it.
- 4Then add HSTS so browsers skip the insecure request entirely on return visits (see the HSTS guide).
- 5Re-scan to confirm http:// now redirects to https://.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.