Redirect HTTP to HTTPS - MetricSpot docs

Q: 301 or 308?

301 is the standard. 308 (RFC 7538) is the same idea but guarantees the method and body aren't rewritten on the redirect, which matters for POST requests. For a typical website with GET traffic, 301 is fine and what every CDN / WAF uses by default.

What this check does

Issues a request to http://yourdomain.com/ and looks for a 301 or 308 response with a Location: header pointing to https://. The check fails if the HTTP version returns 200 (your site is dual-served on plaintext) or returns nothing at all (HTTP port 80 isn’t listening).

Why it matters

Even with HTTPS available, the first request a new visitor makes is almost always plaintext. They type yourdomain.com and the browser tries HTTP first. Without a redirect, three things go wrong at once.

Two indexable copies. Google treats http://example.com/page and https://example.com/page as separate URLs. Without a 301 they can both appear in the index, splitting backlinks and ranking signal.
Downgrade window. That first plaintext request is when sslstrip-style attacks happen on hostile networks. The server should refuse the conversation and force the upgrade.
Mixed-content warnings. If the HTTP version actually renders, every asset URL on the page that’s not protocol-relative gets fetched over HTTP — and modern browsers block them silently.

The redirect is the bridge to HSTS. Once HSTS is set, browsers stop hitting HTTP at all on return visits — but the redirect still has to catch first-time visitors and crawlers.

How to fix it

Listen on port 80 and return 301 to the HTTPS equivalent for every path:

nginx:

server {
  listen 80;
  listen [::]:80;
  server_name example.com www.example.com;

  return 301 https://www.example.com$request_uri;
}

Apache (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Caddy — automatic. Caddy redirects HTTP→HTTPS by default once a site block has a TLS-eligible hostname.

Cloudflare — SSL/TLS → Edge Certificates → “Always Use HTTPS” → On.

Vercel / Netlify / Render / Dokku — HTTPS redirect is on by default for any project with a custom domain.

Get a certificate first. If you don’t already have one, Let’s Encrypt + Certbot is free and renews automatically:

sudo certbot --nginx -d example.com -d www.example.com

Audit yourself — curl -sI http://example.com/ should print HTTP/1.1 301 Moved Permanently and a Location: https://... header. Anything else (200, 404, connection refused) fails the check.

Frequently asked questions

301 or 308?

301 is the standard. 308 (RFC 7538) is the same idea but guarantees the method and body aren’t rewritten on the redirect, which matters for POST requests. For a typical website with GET traffic, 301 is fine and what every CDN / WAF uses by default.

What about the API subdomain — same rule?

Yes. Any subdomain that serves real traffic should redirect HTTP to HTTPS the same way. If the API is the kind that only accepts HTTPS (no fallback) you can also configure the server to refuse port 80 entirely with connection: close.

Should I redirect to `www` or non-`www` at the same time?

If you’re collapsing both decisions in one redirect, yes — combine them so visitors land at the canonical URL after one hop, not two. See Keep redirect chains short for the trap of stacking redirects.