HomeFix guides → HTTPS enforced (HTTP → HTTPS redirect)

security

How to fix: HTTPS enforced (HTTP → HTTPS redirect)

OWASP A02 NIS2 Art. 21(2)(a)

Why this matters

Plain HTTP traffic can be read or modified by anyone between the visitor and your server. Forcing HTTPS protects login forms, session cookies, and form submissions from interception on coffee-shop Wi-Fi and similar networks.

Background

Every HTTP request to your site should 301-redirect to its HTTPS equivalent — same host, same path. Without this, the first request is interceptable; cookies (even Secure ones) can be partially probed; and search engines may index the HTTP variant alongside HTTPS, splitting ranking signal.

References

OWASP A02 · NIS2 Art. 21 (technical measures)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
server { listen 80; return 301 https://$host$request_uri; }
apache
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
cloudflare
SSL/TLS → Edge Certificates → Always Use HTTPS = ON.
wordpress
Really Simple SSL plugin OR force-https via .htaccess (see Apache snippet).
flask
Flask-Talisman(app, force_https=True). Or behind a proxy: configure the proxy.
express
Behind a proxy: trust proxy + redirect-http middleware. Direct: see snippet above.
rails
config.force_ssl = true

Verify it's working

curl -sI http://your-site/ | grep -i '^location:' # should show 301 to https://

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →