Beta
Scan Your App
mediumSecurity & Infrastructure

HTTPS Redirect

Having an HTTPS certificate is only half the solution. If HTTP requests to your site are not automatically redirected to HTTPS, visitors and search engine bots may access an unencrypted version. SaaSalyst verifies that your site properly redirects all HTTP traffic to HTTPS.

What SaaSalyst Checks

SaaSalyst makes an HTTP request (port 80) to your site URL and checks whether it returns a redirect to the HTTPS version. A 301 (permanent) redirect is best practice. Temporary redirects (302, 307) work but miss SEO benefits. If the HTTP port is closed entirely, that is also a passing configuration.

Why This Matters

HTTPS certificates alone do not protect users who type your URL without 'https://' or follow HTTP links from other sites. Without a redirect, those visitors browse your site over an unencrypted connection where credentials, session cookies, and personal data can be intercepted.

Search engines also prefer HTTPS. Google uses HTTPS as a ranking signal, and a proper 301 redirect consolidates link equity from HTTP to HTTPS, preventing duplicate content issues.

Most hosting platforms (Vercel, Netlify, Cloudflare) enable HTTPS redirects by default, but custom servers and some cloud providers require explicit configuration.

How to Fix It

  1. If using Vercel, Netlify, or Cloudflare: HTTPS redirect is typically automatic. Verify in your dashboard settings.
  2. For Nginx: add 'return 301 https://$host$request_uri;' to your server block listening on port 80.
  3. For Apache: add 'Redirect permanent / https://yourdomain.com/' to your .htaccess or VirtualHost config.
  4. For AWS ALB/CloudFront: configure an HTTP-to-HTTPS redirect rule in your listener.
  5. Test the redirect: curl -I http://yourdomain.com — you should see a 301 with Location: https://yourdomain.com/

Frequently Asked Questions

How does SaaSalyst check for HTTPS redirects?

SaaSalyst makes an HTTP (not HTTPS) request to your site with redirect following disabled. It then checks whether the response is a 301 or 302 redirect pointing to an HTTPS URL. If the HTTP port is closed entirely (connection refused), that also passes — it means your server only accepts HTTPS connections.

Why does SaaSalyst prefer 301 over 302 redirects?

SaaSalyst flags 302 (temporary) redirects as a warning because permanent (301) redirects tell search engines to consolidate ranking signals to the HTTPS version. A 302 redirect suggests the HTTP version might come back, preventing full SEO consolidation.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for HTTPS Redirect along with 78+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs