Fix HTTP to HTTPS Redirect for Better Best Practices Score

Configure your server to redirect all HTTP traffic to HTTPS. Protect users and enable secure web features across your entire site.
Harlan WiltonHarlan Wilton3 min read Published

Users accessing your site via HTTP aren't being redirected to HTTPS, leaving them on an insecure connection.

What's Happening

Lighthouse tests what happens when a user visits your site using http://. If the connection stays on HTTP instead of redirecting to HTTPS, the audit fails. This occurs when your server accepts HTTP requests but doesn't issue a redirect response.

Without this redirect, users who type your domain without https://, click old bookmarks, or follow HTTP links are left on an insecure connection. Their traffic is unencrypted and vulnerable to interception.

Diagnose

Browser Check

  1. Open a new incognito window
  2. Type your domain with explicit http:// prefix: http://yoursite.com
  3. Check the address bar after the page loads
  4. If it still shows http://, the redirect is missing

Command Line

curl -I http://yoursite.com

HTTP/1.1 301 Moved Permanently
Location: https://yoursite.com/

If you see 200 OK instead of a redirect, the server serves content over HTTP.

Fix

1. Server-Level Redirect (Recommended)

Configure your web server or hosting platform to redirect HTTP to HTTPS.

Nginx:

server {
    listen 80;
    server_name yoursite.com www.yoursite.com;
    return 301 https://$host$request_uri;
}

Apache (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Caddy: (Automatic—Caddy redirects HTTP to HTTPS by default)

yoursite.com {
    # HTTPS redirect happens automatically
}

2. Hosting Platform Configuration

Most hosting platforms handle this through their dashboard.

Cloudflare:

  1. Go to SSL/TLS > Edge Certificates
  2. Enable "Always Use HTTPS"

Vercel: Automatic—all HTTP requests redirect to HTTPS by default.

Netlify:

  1. Go to Domain settings
  2. Enable "Force HTTPS"

AWS CloudFront:

  1. Edit distribution behavior
  2. Set "Viewer Protocol Policy" to "Redirect HTTP to HTTPS"

3. Add HSTS Header

HTTP Strict Transport Security tells browsers to always use HTTPS, preventing even the initial HTTP request on subsequent visits.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Configure on your server:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

// Vercel/Next.js - next.config.js
module.exports = {
  headers: async () => [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains; preload'
    }]
  }]
}

// Nuxt - nuxt.config.ts
export default defineNuxtConfig({
  routeRules: {
    '/**': {
      headers: {
        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
      }
    }
  }
})

After HSTS is deployed and verified, submit to the HSTS Preload List to have browsers enforce HTTPS before the first visit.

Verify the Fix

  1. Clear browser cache or use incognito mode
  2. Navigate to http://yoursite.com (explicit HTTP)
  3. Confirm the address bar shows https:// after redirect
  4. Run curl -I http://yoursite.com and verify 301/308 response
  5. Run Lighthouse—"Redirects HTTP traffic to HTTPS" should pass

Check redirect chain efficiency:

curl -ILs http://yoursite.com | grep -E "^HTTP|^Location"

You should see exactly one redirect from HTTP to HTTPS, not multiple hops.

Common Mistakes

  • Redirect loops — Misconfigured load balancers or CDNs can cause infinite redirects. If your app checks X-Forwarded-Proto but the header isn't set, it keeps redirecting. Verify your CDN/proxy forwards the protocol header correctly.
  • Missing www handling — Redirect both http://yoursite.com AND http://www.yoursite.com. Users might access either.
  • 302 instead of 301 — Use 301 (permanent) or 308 (permanent, preserves method) redirects. 302 (temporary) doesn't tell browsers to update bookmarks or caches.
  • Forgetting subdomains — Each subdomain needs its own redirect configuration. An HTTPS redirect on yoursite.com doesn't cover api.yoursite.com or blog.yoursite.com.
  • Starting with aggressive HSTS — Begin with a short max-age (like 300 seconds) and increase after confirming everything works. A misconfigured HSTS with a year-long max-age locks users out.

Related Issues

HTTP redirect issues often appear alongside:

  • HTTPS — Both involve secure connections
  • Redirects (LCP) — HTTP→HTTPS redirects also affect LCP
  • bfcache — Redirect behavior affects back/forward cache

Test Your Entire Site

HTTP redirect issues can affect some subdomains or paths but not others—especially with complex hosting setups or multiple servers. Scan your entire domain to ensure every entry point redirects users to a secure connection.

Related

Paste Inputs

Stop preventing users from pasting into input fields. Blocking paste breaks password managers and frustrates users without improving security.

Charset Declaration

Learn how to properly declare character encoding to prevent text rendering issues and security vulnerabilities.