TLS / HTTPS · Check

HTTP not redirected to HTTPS — fixing the plaintext entrypoint

When port 80 serves real content (or doesn't return a 301/308 to https://), users and bookmark tooling can stay on plaintext through the entire flow. That's enough to leak session cookies on hostile networks.

Real-world risk

Users and links can stay on plaintext HTTP; cookies and tokens may leak on that first hop.

Fix steps (in order)

On port 80, return 301 or 308 to the canonical https:// URL for all paths you care about.
Example nginx: return 301 https://$host$request_uri;

Example configurations

Patterns for common stacks. Set headers at your CDN, load balancer, or origin as appropriate.

nginx (HTTP → HTTPS) · nginx

server {
  listen 80;
  return 301 https://$host$request_uri;
}

Express · typescript

app.use((req, res, next) => {
  if (req.secure) return next();
  res.redirect(301, "https://" + req.headers.host + req.url);
});

Apache · apache

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (http_no_redirect) clears once the externally-observable signal is in place.

Run a free scan Methodology