TLS / HTTPS · Check

Redirect chain doesn't end in HTTPS — closing the plaintext gap

When a redirect chain bounces through HTTP at any point — even briefly — the plaintext hop leaks cookies and lets a network attacker hijack the session before the user lands on the secure final URL. Every redirect's final target should be `https://`.

Real-world risk

Redirects that stop short of HTTPS leave users on HTTP for part of the journey, enabling interception.

Fix steps (in order)

Ensure every redirect target in the chain uses https:// for the final hop.
Search configs for http:// redirects and replace with https:// (or scheme-relative only if you fully control HTTPS).

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (redirect_not_https) clears once the externally-observable signal is in place.

Run a free scan Methodology