HomeFix guides → HTTPS enforced (NIS2 transport security)

nis2

How to fix: HTTPS enforced (NIS2 transport security)

NIS2 Art. 21(2)(a)

Why this matters

Plain-HTTP service is below the cybersecurity baseline expected of NIS2 essential and important entities. Force HTTPS at the origin and via redirect.

Background

Plain HTTP traffic is observable + modifiable by any network-on-path attacker. NIS2 requires transport encryption as a baseline technical measure. Configure HTTP → HTTPS 301 redirect at the reverse proxy.

References

NIS2 Art. 21(2)(a) · BSI IT-Grundschutz

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
server { listen 80; server_name your-site; return 301 https://$host$request_uri; }
apache
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
cloudflare
SSL/TLS → Edge Certificates → Always Use HTTPS → ON.
wordpress
Install Really Simple SSL plugin OR set siteurl + home to https:// in Settings → General.
flask
Use flask-talisman force_https=True OR redirect in middleware.
express
app.use((req, res, next) => req.secure ? next() : res.redirect(301, 'https://' + req.headers.host + req.url))
rails
config.force_ssl = true

Verify it's working

curl -sI http://your-site/ | head -1 — should return 301 to https://.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →