TLS / HTTPS · Check

Site does not serve HTTPS — what to do first

Public sites need TLS. Browsers warn on plaintext, search engines penalize it, and most modern features (HTTP/2, service workers, secure cookies) refuse to work without it.

Real-world risk

Traffic can be read or altered on the network path; browsers show warnings and users may fall for downgrade or phishing clones.

Fix steps (in order)

Terminate TLS at your load balancer, CDN, or origin and serve the site only over https://.
Obtain a certificate (e.g. Let’s Encrypt) and configure automatic renewal.
If you must keep HTTP for legacy clients, still redirect GET/HEAD to HTTPS with 301/308.

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (no_https) clears once the externally-observable signal is in place.

Run a free scan Methodology