HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
What this check measures
We request both http:// and https:// versions of the domain. HTTPS must serve 200; HTTP must 301 or 302 to HTTPS. A valid TLS certificate is required.
Why it matters
HTTP sites are marked "Not Secure" by Chrome, leak session cookies on every request, and cap Google ranking. Every modern host (Vercel, Netlify, Cloudflare, Replit, Lovable) includes free certs — there is no reason to ship HTTP in 2026.
How our audit detects it
HTTP HEAD to http:// and https://. Check response code, Location header, and certificate validity via TLS handshake.
Typical findings
- error_outlinehttp:// returns 200 instead of redirecting to https://.
- error_outlineExpired TLS certificate.
- error_outlineSelf-signed cert — browsers block and users get warnings.
- error_outlineMixed HTTP and HTTPS coexist without canonical enforcement.
How to fix
Enable HTTPS at your hosting platform (one click on every major provider). Add a permanent 301 redirect from HTTP to HTTPS. Enable HSTS for additional protection.
Copy-paste fix prompt for your stack
Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44
Frequently asked questions
Do I need a paid SSL cert?expand_more
Is HTTPS a ranking signal?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
TLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecurityMixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.
SecurityHSTS Header
Checks for Strict-Transport-Security header — blocks HTTPS downgrade attacks.