Serve all pages over HTTPS

Plain HTTP exposes every request and response to anyone on the network path — ISPs, Wi-Fi operators, and MITM attackers can read passwords, session tokens, and personal data without any warning to the user.

Quick Reference

• All HTTP traffic must redirect to HTTPS with a 301 (permanent) redirect
• TLS certificates must be valid, not expired, and cover all hostnames (including www)
• HTTPS is a prerequisite for HSTS, HTTP/2, Service Workers, geolocation, and other modern APIs
• Use a free certificate from Let's Encrypt or your hosting provider's managed TLS
• Verify the certificate chain with SSL Labs (ssllabs.com/ssltest) — aim for A or A+

Check

Check whether all pages of this website are served over HTTPS. Verify the TLS certificate is valid, not expired, and covers all hostnames. Confirm HTTP requests redirect to HTTPS with a 301 status code.

Fix

Configure the web server to obtain a TLS certificate (e.g., via Let's Encrypt/Certbot), redirect all HTTP requests to HTTPS with a 301 redirect, and ensure all internal links and resources use HTTPS URLs.