security
How to fix: HTTPS enforced (HTTP → HTTPS redirect)
OWASP A02
NIS2 Art. 21(2)(a)
Why this matters
Plain HTTP traffic can be read or modified by anyone between the visitor and your server. Forcing HTTPS protects login forms, session cookies, and form submissions from interception on coffee-shop Wi-Fi and similar networks.
Background
Every HTTP request to your site should 301-redirect to its HTTPS equivalent — same host, same path. Without this, the first request is interceptable; cookies (even Secure ones) can be partially probed; and search engines may index the HTTP variant alongside HTTPS, splitting ranking signal.
References
OWASP A02 · NIS2 Art. 21 (technical measures)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
server { listen 80; return 301 https://$host$request_uri; }
apache
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
cloudflare
SSL/TLS → Edge Certificates → Always Use HTTPS = ON.
wordpress
Really Simple SSL plugin OR force-https via .htaccess (see Apache snippet).
flask
Flask-Talisman(app, force_https=True). Or behind a proxy: configure the proxy.
express
Behind a proxy: trust proxy + redirect-http middleware. Direct: see snippet above.
rails
config.force_ssl = true
Verify it's working
curl -sI http://your-site/ | grep -i '^location:' # should show 301 to https://
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →