Why does the "HTTP → HTTPS redirect" check matter?

Without this redirect, some visitors access the site in an unsecured version without knowing it. This exposes their data and hurts Google rankings.

How to fix "HTTP → HTTPS redirect"?

**Apache**: in the port 80 VirtualHost, add `Redirect permanent / https://yoursite.com/`. **Nginx**: in the port 80 server block, add `return 301 https://$host$request_uri;`. **Shared hosting**: enable 'Force HTTPS' in the control panel. Then verify with `curl -I http://yoursite.com` that the response is `301 Moved Permanently`.

Security Check n°3 / 120

HTTP → HTTPS redirect

When a visitor types the site address without "https://" at the start, this check verifies the site automatically redirects them to the secu…

Analyse my site for free

← All checks

What is it?

Understanding "HTTP → HTTPS redirect"

The HTTP → HTTPS redirect is the configuration rule that automatically forces any visitor accessing your site via http:// to the secure https:// version. Without this redirect, having an SSL certificate is not enough: visitors who type your address without specifying the protocol, click an HTTP link from another site, or have an old bookmark access your site in plaintext.

This redirect must be permanent (HTTP 301 code), so search engines transfer link equity (PageRank) to the HTTPS version, and browsers cache the secure version. A temporary redirect (302) has a different SEO effect and is not cached by browsers.

❌ Without redirect — HTTP access possible

Visit http://site.com

→ plaintext page served →

⚠️ Data exposed

✅ With permanent 301 redirect

Visit http://site.com

→ 301 Moved Permanently →

🔒 https://site.com

✓ PageRank transferred · ✓ Browser caches · ✓ No data exposed

How we check it

How TheSiteFuse checks "HTTP → HTTPS redirect"

TheSiteFuse sends an HTTP GET request on port 80 (http://domain.com) and analyses the response. If the server responds with a 301 or 308 code (permanent redirect) to the corresponding HTTPS URL, the check passes. A 302 code (temporary) generates a warning. No redirect — HTTP page served directly or error code — is an error.

Risks if it fails

Why "HTTP → HTTPS redirect" matters

Without an HTTP → HTTPS redirect, several problems arise:

Unsecured access — visitors arriving via an old HTTP link or bookmark access the site without encryption, exposing their data.
SEO duplicate content — Google may index both HTTP and HTTPS versions of the same site, creating duplicate content that dilutes PageRank.
HSTS ineffectiveness — HSTS only protects after a visitor has already visited the site over HTTPS. Without a redirect, their first visit may be in HTTP.
Browser warning — Chrome displays "Not Secure" for any HTTP page containing forms or input fields.

How to fix

Fix "HTTP → HTTPS redirect" step by step

Apache

<VirtualHost *:80>
    ServerName mysite.com
    ServerAlias www.mysite.com
    Redirect permanent / https://mysite.com/
</VirtualHost>

Nginx

server {
    listen 80;
    server_name mysite.com www.mysite.com;
    return 301 https://mysite.com$request_uri;
}

Verify with curl

curl -I http://mysite.com

The response should show HTTP/1.1 301 Moved Permanently with Location: https://mysite.com/.

Hosting control panels

On cPanel, Plesk or SiteGround, a "Force HTTPS" or "SSL Redirect" toggle is available in the Domains section.

Learn more

Reference resource

To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.

Wikipedia — HTTP → HTTPS redirect

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous Valid SSL certificate Next HSTS header