TLS & certificates

HTTPS Enforcement (no plain-HTTP delivery)

Why a public site still reachable over plain HTTP exposes visitors before HSTS can help, and how WebGuard flags it.

Last updated June 9, 2026

What it is

HTTPS enforcement means every request to your site ends up on an encrypted HTTPS connection, so plain-HTTP requests should be redirected to HTTPS rather than served as-is. A site that answers over `http://` is delivering content without transport encryption.

Why it matters

Any response served over plain HTTP travels unencrypted, so it can be read or modified by anyone on the network path, such as a hostile Wi-Fi network. This is the gap that HSTS is designed to close for returning visitors, but HSTS only helps once the site reliably redirects to HTTPS in the first place. Serving real content over HTTP is a high-severity exposure.

How WebGuard checks it

WebGuard requests your public URL and reports when the final response is still delivered over `http://` instead of redirecting to HTTPS. It only observes where your server sends the request, and nothing is modified.

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.