To fix this, add a permanent 301 redirect from http:// to https:// at your web server or CDN so every insecure request is upgraded. Then add HSTS to enforce HTTPS in the browser. Re-scan to confirm HTTP requests redirect to HTTPS.
If your site serves content over both HTTP and HTTPS, visitors and search engines can end up on the insecure version. A 301 redirect from HTTP to HTTPS ensures everyone uses the secure site. This guide shows how on each platform, plus how to lock it in with HSTS.
Check your website
See how your site handles how to fix a missing http to https redirect — free, no account needed.
Business impact
Serving content over plain HTTP exposes visitors to interception and shows some browsers a "Not secure" label. A proper redirect guarantees the secure experience for every visitor, consolidates your SEO onto one URL, and is the foundation for stronger protections like HSTS.
Why this happens
This happens when HTTPS is installed but the server still answers HTTP requests with content instead of redirecting. Causes: no redirect rule configured; redirect present for the homepage but not all paths; or conflicting rules between the app, server and CDN. The fix is a single site-wide 301 to the HTTPS URL.
How to confirm the issue
Manually: run curl -I http://yoursite.com and confirm you get a 301 with a Location: https://… header. Try a few deep paths too, not just the homepage.
With Plexa Trust: the scan reports "HTTPS Not Enabled" or that HTTP serves content without redirecting. Re-scan after fixing.
Step-by-step fix
Ensure a valid SSL certificate is installed and HTTPS works.
Add a 301 redirect from all HTTP URLs to their HTTPS equivalent (preserving the path).
Test several paths, not just the homepage.
Add HSTS once redirects are solid to enforce HTTPS in the browser.
Re-scan to confirm HTTP consistently redirects to HTTPS.
Platform-specific fixes
Apache
In your HTTP virtual host or .htaccess (mod_rewrite):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nginx
Add a dedicated port-80 server block:
server { listen 80; server_name yoursite.com www.yoursite.com; return 301 https://$host$request_uri; }
Run
nginx -tand reload.
Cloudflare
SSL/TLS → Edge Certificates → enable Always Use HTTPS.
This 301-redirects all HTTP requests to HTTPS at the edge.
WordPress
Set both WordPress Address and Site Address to the https:// URL under Settings → General.
Use Really Simple SSL or a server rule to force the redirect.
Vercel / Netlify
HTTPS and HTTP→HTTPS redirects are handled automatically for custom domains.
Ensure your domain is configured and DNS points to the platform.
How to verify the fix
Use a 301 (permanent) redirect so SEO signals transfer to HTTPS.
Preserve the full path in the redirect, not just send everyone to the homepage.
Add HSTS afterwards and re-scan to confirm.
Common mistakes
Using a 302 (temporary) redirect and losing ranking signals.
Redirecting only the homepage, leaving deep pages on HTTP.
Creating redirect loops with conflicting app/server/CDN rules.
Frequently asked questions
Why do I need an HTTP to HTTPS redirect if I have SSL?
Because the insecure HTTP version can still be reached directly. A redirect ensures every visitor and search engine uses the secure HTTPS version.
Should the redirect be 301 or 302?
301 (permanent). It tells search engines the move is permanent and transfers ranking signals to the HTTPS URLs.
Will a redirect fix the "Not secure" label?
Yes, once visitors are on HTTPS with a valid certificate. Combine it with HSTS to prevent any insecure first request.
What is a redirect loop and how do I avoid it?
When rules bounce a request back and forth (e.g. app and CDN both redirecting differently). Configure the redirect in one place and test.
Do I still need HSTS if I have a redirect?
Yes. A redirect handles the server side; HSTS stops the browser making the insecure request in the first place.
Does this affect SEO?
Positively, when done with 301s that preserve paths — it consolidates your site onto secure URLs.
How do I redirect www and non-www too?
Include both hostnames in your rule (or canonicalise to one), redirecting all variants to the single HTTPS host you prefer.
How do I confirm it worked?
Run curl -I on several HTTP URLs and confirm 301s to HTTPS, then re-scan with Plexa Trust.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan