HTTPS Security

HTTPS enforcement and HSTS headers

What is HTTPS Security?

Beyond just having an SSL certificate, we check whether a website enforces HTTPS. This means automatically redirecting HTTP requests to HTTPS and/or using HSTS (HTTP Strict Transport Security) headers.

HSTS tells browsers to only connect via HTTPS in the future, even if someone types http://. Some major domains are even "preloaded" into browsers, meaning HTTPS is enforced before the first visit.

Why Does HTTPS Enforcement Matter?

Just having HTTPS available isn't enough if users can still access the site over insecure HTTP:

  • HTTPS enforcement: Ensures all visitors get the encrypted version
  • HSTS headers: Prevents downgrade attacks and cookie theft
  • HSTS preloading: Browser-level protection, even on first visit

Major sites like Google, Facebook, and GitHub are HSTS preloaded. Your browser will never connect to them over plain HTTP.

How to Interpret This Signal

Positive

HSTS enabled or preloaded

Positive

HTTPS enforced via redirect

Attention

HTTPS available but not enforced

Example Domains

See this signal in action:

google.com (preloaded) paypal.com (preloaded) github.com (preloaded)

Related Signals

TLS Certificate HTTP Response
Check a Domain