HTTP to HTTPS Redirect Missing — Security and SEO Risk

TL;DR: Your site doesn't redirect HTTP traffic to HTTPS, leaving visitors on unencrypted connections and splitting your SEO authority.

Google has used HTTPS as a ranking signal since 2014, and 86.9% of websites now use HTTPS (W3Techs, 2025). If your site doesn't redirect HTTP to HTTPS, visitors land on an unencrypted connection where data can be intercepted. Search engines also treat HTTP and HTTPS as separate URLs, splitting your ranking authority between two versions of every page.

What Scavo checks (plain English)

Scavo rebuilds an HTTP version of the scanned URL and sends a HEAD probe.

How Scavo scores this check

Result behavior:

• Pass: HTTP returns 301, 302, 307, or 308 and Location starts with https://
• Fail: redirect exists but target is not HTTPS
• Fail: HTTP returns 2xx (serves content over HTTP without redirect)
• Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.
• Warning: probe blocked/error or ambiguous HTTP status (4xx/unverifiable)

In your scan report, this appears under What failed / What needs attention / What is working for https_redirect, followed by Recommended next steps and Technical evidence (for developers) when needed.

• Scan key: https_redirect
• Category: SECURITY

Why fixing this matters

If HTTP remains accessible without upgrade, users and bots can reach insecure variants, creating mixed trust/security signals and increasing downgrade risk.

Reliable HTTPS redirects also improve canonical protocol consistency for crawlers, analytics, and cache behavior.

Common reasons this check fails

• Redirect rules missing at edge/origin.
• Redirect points to wrong host/protocol.
• Partial rules only cover home page, not all paths.
• Legacy service still serves HTTP directly.

If you are not technical

1. Ask for proof that any http:// URL upgrades to https://.
2. Confirm this works for deep paths, not just homepage.
3. Ask team to document single redirect owner (CDN or origin).
4. Re-run Scavo and confirm pass.

Scavo flagged HTTPS Redirect (https_redirect). Please enforce HTTP->HTTPS redirects for all routes, verify redirect targets are HTTPS, and share header evidence (status + Location) from production.

If you are technical

1. Enforce scheme redirect at edge or origin (single source of truth).
2. Preserve path/query during redirect.
3. Prefer permanent redirect (301 or 308) unless migration constraints require otherwise.
4. Ensure redirect does not loop and does not downgrade across host variants.
5. Pair with HSTS once HTTPS is stable.

How to verify

• curl -I http://your-domain/path and inspect status + Location.
• Confirm target URL is HTTPS and path/query are preserved.
• Test a representative set of routes.
• Re-run Scavo and verify it passes.

What this scan cannot confirm

• It does not validate full chain quality across all subdomains automatically.
• It does not enforce HSTS; redirect and HSTS are complementary.
• It does not test browser mixed-content behavior inside pages.

Owner checklist

• [ ] Assign owner for protocol redirect policy.
• [ ] Keep redirect rules version controlled and tested.
• [ ] Monitor for redirect loops and accidental protocol downgrades.
• [ ] Revalidate after load balancer/CDN changes.

FAQ

Is 302 acceptable for HTTPS redirect?

It can work, but permanent redirects (301/308) are usually better long-term for consistency.

Why is serving HTTP directly a fail?

Because users can remain on insecure protocol without forced upgrade.

Can redirect checks fail if firewalls block probes?

Yes. Scavo will return warning when verification is blocked/unreachable.

Should redirect happen at CDN or app server?

Either is fine if consistent. Avoid split logic that drifts over time.

Sources

• MDN: Redirections in HTTP
• RFC 9110: HTTP redirect semantics
• OWASP Transport Layer Protection Cheat Sheet

Need a redirect validation checklist for apex/www/path/query variants? Send support your canonical host rules.