What it is
HTTPS enforcement means every request to your site ends up on an encrypted HTTPS connection, so plain-HTTP requests should be redirected to HTTPS rather than served as-is. A site that answers over `http://` is delivering content without transport encryption.
Why it matters
Any response served over plain HTTP travels unencrypted, so it can be read or modified by anyone on the network path, such as a hostile Wi-Fi network. This is the gap that HSTS is designed to close for returning visitors, but HSTS only helps once the site reliably redirects to HTTPS in the first place. Serving real content over HTTP is a high-severity exposure.
How WebGuard checks it
WebGuard requests your public URL and reports when the final response is still delivered over `http://` instead of redirecting to HTTPS. It only observes where your server sends the request, and nothing is modified.