Force HTTPS and enable HSTS — Lovable

HTTP is marked "Not Secure" by Chrome. Any HTTP request leaks cookies and lets attackers inject content on hostile networks. Missing HTTPS also caps SEO ranking.

rocket_launch

Fixing this in Lovable

AI full-stack app builder (React + Vite + Supabase)

Lovable apps ship fast but skip most SEO and security basics out of the box. Paste the prompt below into your Lovable chat and the fix rolls out across the project in one pass.

Using a different tool? Pick your stack:

Lovable Cursor Bolt v0 Replit Windsurf Claude Code Base44

The prompt for Lovable

Copy and paste this into your Lovable chat exactly as-is.

Fix my Lovable app — please make these exact changes in the Lovable editor:

Force HTTPS

1. Configure your hosting provider to issue a Let's Encrypt certificate (most platforms do this automatically).
2. Add a permanent (301) redirect from http:// to https://.
3. Set the Strict-Transport-Security header so browsers refuse plain HTTP.

Why this matters

Google uses HTTPS as a ranking signal and Chrome labels HTTP sites "Not Secure" right in the address bar. No modern hosting platform charges for HTTPS — Vercel, Netlify, Replit, Lovable, Cloudflare all include free certificates.

HSTS takes HTTPS one step further: it tells the browser to refuse HTTP for your domain entirely, for a long max-age. This blocks an entire class of downgrade attacks.

Enabling HSTS also unlocks the HSTS preload list — Chrome and Firefox ship your domain as HTTPS-only out of the box, so even a first-time visitor on a compromised network is safe.

How to use this prompt in Lovable

1. Open your Lovable project.
2. Copy the prompt above with the copy button.
3. Paste into the Lovable chat and send.
4. Review the diff, accept the changes, redeploy.
5. Verify the fix using the checklist below.

Common mistakes to avoid

error_outlineEnabling HSTS before all subdomains serve HTTPS — browsers then refuse non-HTTPS subdomains.
error_outlineSetting `Strict-Transport-Security: max-age=300` for "safety" — short max-age defeats the point.
error_outlineRedirecting HTTP to HTTPS via a 302 instead of a 301 — SEO equity leaks.
error_outlineRedirecting to a specific HTTPS path and losing the original query string.

How to verify the fix worked

check_circleVisit `http://yoursite.com` — browser must redirect to HTTPS automatically.
check_circle`curl -I http://yoursite.com` — returns `301 Moved Permanently` with an HTTPS Location header.
check_circle`curl -I https://yoursite.com` — response includes `Strict-Transport-Security: max-age=31536000; includeSubDomains`.
check_circleRun SSL Labs test at https://www.ssllabs.com/ssltest/ — grade A or A+.

Frequently asked questions

Do I need a paid SSL certificate?expand_more

No. Let's Encrypt provides free certs that every major host uses. Paid EV certificates offer no ranking or security advantage anymore.

Should I preload HSTS?expand_more

Yes, once your HTTPS setup is stable. Submit at https://hstspreload.org/. Preloading means Chrome ships your domain as HTTPS-only in every browser build.

Can HSTS lock me out if something goes wrong?expand_more

Yes — if your HTTPS breaks, users who saw HSTS cannot visit via HTTP either. Keep a valid cert and renew early (all good hosts auto-renew).

Want all 34 prompts tailored to your Lovable site?

Pantra scans your site in 10 seconds, detects the stack, and generates the exact prompts that apply — only the ones you actually need.

Scan my site

Related Lovable prompts

Security