Why does "HTTP does not redirect to HTTPS" appear in ExposureGrid?

Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.

Could this be a false positive?

Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.

Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.

HTTP does not redirect to HTTPS: what it means, why it may matter, and how to remediate with external verification using ExposureGrid.

HTTP does not redirect to HTTPS: HTTPâ†’HTTPS behavior, redirects, and canonical hosts affect how clients reach your application safely.

Mis-redirects and mixed behaviors can confuse clients, caches, or create downgrade windows depending on topology.

Test apex and www over HTTP and HTTPS, follow redirects with curl -IL, inspect HSTS interplay, then scan.

Enforce HTTPS with consistent canonical host, shorten chains, prevent redirects to unexpected domains, eliminate mixed-content where practical.

Run a scan to verify this fix on your domain

Use the same public scanner as the homepage — results honor your plan tier.

ExposureGrid observes external redirect chains and HTTPS availability signals.

Why does "HTTP does not redirect to HTTPS" appear in ExposureGrid?: Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.
Could this be a false positive?: Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.
What should I do after changing configuration?: Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.

ExposureGrid continuously monitors these issues and alerts you before they become exploitable.

Run a private scan

Compare plans