---
title: "Fix HTTP to HTTPS Redirect for Better Best Practices Score"
description: "Configure your server to redirect all HTTP traffic to HTTPS. Protect users and enable secure web features across your entire site."
canonical_url: "https://unlighthouse.dev/learn-lighthouse/best-practices/redirects-http"
last_updated: "2025-01-18"
---

Users accessing your site via HTTP aren't being redirected to HTTPS, leaving them on an insecure connection.

## What's Happening

Lighthouse tests what happens when a user visits your site using `http://`. If the connection stays on HTTP instead of redirecting to HTTPS, the audit fails. This occurs when your server accepts HTTP requests but doesn't issue a redirect response.

Without this redirect, users who type your domain without `https://`, click old bookmarks, or follow HTTP links are left on an insecure connection. Their traffic is unencrypted and vulnerable to interception.

## Diagnose

### Browser Check

1. Open a new incognito window
2. Type your domain with explicit `http://` prefix: `http://yoursite.com`
3. Check the address bar after the page loads
4. If it still shows `http://`, the redirect is missing

### Command Line

```bash
curl -I http://yoursite.com

HTTP/1.1 301 Moved Permanently
Location: https://yoursite.com/
```

If you see `200 OK` instead of a redirect, the server serves content over HTTP.

## Fix

### 1. Server-Level Redirect (Recommended)

Configure your web server or hosting platform to redirect HTTP to HTTPS.

**Nginx:**

```nginx
server {
    listen 80;
    server_name yoursite.com www.yoursite.com;
    return 301 https://$host$request_uri;
}
```

**Apache (.htaccess):**

```apache
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
```

**Caddy:** (Automatic - Caddy redirects HTTP to HTTPS by default)

```text
yoursite.com {
    # HTTPS redirect happens automatically
}
```

### 2. Hosting Platform Configuration

Most hosting platforms handle this through their dashboard.

**Cloudflare:**

1. Go to SSL/TLS > Edge Certificates
2. Enable "Always Use HTTPS"

**Vercel:** Automatic - all HTTP requests redirect to HTTPS by default.

**Netlify:**

1. Go to Domain settings
2. Enable "Force HTTPS"

**AWS CloudFront:**

1. Edit distribution behavior
2. Set "Viewer Protocol Policy" to "Redirect HTTP to HTTPS"

### 3. Add HSTS Header

HTTP Strict Transport Security tells browsers to always use HTTPS, preventing even the initial HTTP request on subsequent visits.

```http
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```

Configure on your server:

```nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
```

```js
// Vercel/Next.js - next.config.js
export default {
  headers: async () => [{
    source: '/(.*)',
    headers: [{
      key: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains; preload'
    }]
  }]
}
```

```ts
// Nuxt - nuxt.config.ts
export default defineNuxtConfig({
  routeRules: {
    '/**': {
      headers: {
        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
      }
    }
  }
})
```

After you deploy and verify HSTS, submit to the [HSTS Preload List](https://hstspreload.org) to have browsers enforce HTTPS before the first visit.

## Verify the Fix

1. Clear browser cache or use incognito mode
2. Navigate to `http://yoursite.com` (explicit HTTP)
3. Confirm the address bar shows `https://` after redirect
4. Run `curl -I http://yoursite.com` and verify 301/308 response
5. Run Lighthouse - "Redirects HTTP traffic to HTTPS" should pass

Check redirect chain efficiency:

```bash
curl -ILs http://yoursite.com | grep -E "^HTTP | ^Location"
```

You should see exactly one redirect from HTTP to HTTPS, not multiple hops.

## Common Mistakes

- **Redirect loops**: Misconfigured load balancers or CDNs cause infinite redirects. If your app checks `X-Forwarded-Proto` but the header isn't set, it keeps redirecting. Verify your CDN/proxy forwards the protocol header correctly.
- **Missing www handling**: Redirect both `http://yoursite.com` AND `http://www.yoursite.com`. Users might access either.
- **302 instead of 301**: Use 301 (permanent) or 308 (permanent, preserves method) redirects. 302 (temporary) doesn't tell browsers to update bookmarks or caches.
- **Forgetting subdomains**: Each subdomain needs its own redirect configuration. An HTTPS redirect on `yoursite.com` doesn't cover `api.yoursite.com` or `blog.yoursite.com`.
- **Starting with aggressive HSTS**: Begin with a short `max-age` (like 300 seconds) and increase after confirming everything works. A misconfigured HSTS with a year-long max-age locks users out.

### 2025 Insight: Soft 404s & Status Codes

While not strictly a redirect issue, "Soft 404s" (pages that say "Not Found" but return a `200 OK` status) are a primary waste of crawl budget in 2025. Google's bots now aggressively deprioritize sites with poor status code integrity. Make sure your 404 pages return a `404` status header.

## Related Issues

HTTP redirect issues often appear alongside:

- [HTTPS](/learn-lighthouse/best-practices/is-on-https) - Both involve secure connections
- [Redirects (LCP)](/learn-lighthouse/lcp/redirects) - HTTP→HTTPS redirects also affect LCP
- [bfcache](/learn-lighthouse/best-practices/bf-cache) - Redirect behavior affects back/forward cache

## Test Your Entire Site

HTTP redirect issues can affect some subdomains or paths but not others - especially with complex hosting setups or multiple servers. Scan your entire domain to check that every entry point redirects users to a secure connection.
