LaunchTrust
Log inStart trial

Detector registry

HTTPS Requirement for Websites Before You Launch

See why HTTPS is expected for live sites, what a passive scan detects, and how to fix a site that still serves over plain HTTP before launch.

Updated 2026-06-19https requirement for websiteSignals, not a verdict
Run free scanStart trial

If your site collects an email, takes a payment, or just renders a login form, it should reach visitors over an encrypted connection. HTTPS is the baseline expectation for any public web surface in 2026 — browsers flag plain HTTP as "Not secure," search engines deprioritize it, and reviewers treat encrypted transport as table stakes. For an indie developer or store owner about to launch, "is my site actually served over HTTPS?" is one of the cheapest things to verify and one of the most embarrassing to get wrong.

This page explains exactly what the LaunchTrust HTTPS signal looks at, why secure transport keeps coming up in privacy and security expectations, and how to fix a site that is still answering on http://.

What LaunchTrust checks

The HTTPS detector (signal id https) inspects one specific thing: the final URL of the page after all redirects have resolved. It does not crawl your whole site, read your TLS certificate chain, or judge cipher strength — it answers a single, concrete question about how the page you scanned actually loaded.

  • Detected — the final URL begins with https://. The scan records this as an informational, positive signal and notes the host it resolved to (for example, served over HTTPS (example.com)). This is the state you want present.
  • Not detected — the final URL does not begin with https://; the page resolved over plain HTTP. The scan flags this as a high-severity gap and reports the final URL it landed on, so you can see whether a stray redirect dropped you back to http://.

This is a positive-polarity signal: detected is good, not-detected is the concern. Because the check keys off the final URL, it also catches a common misconfiguration — a site that loads on HTTPS but redirects, mid-chain, to an HTTP version of a page. Since a fetched page either resolved over HTTPS or it did not, this detector has no "unable to determine" middle state. A signal is a description of what was observed on the connection, not a ruling on whether your overall security posture is correct.

Why it matters

No single statute says the literal words "your website must use HTTPS." Instead, secure transport is the practical floor that several rules and platforms assume you have already cleared:

  • GDPR security expectations. The GDPR requires "appropriate technical and organisational measures" to protect personal data, and encryption is named as an example of such a measure. Transmitting a visitor's email, name, or payment detail over unencrypted HTTP is commonly treated as failing that bar. See the GDPR checklist for indie apps and the European Union overview for how this fits a launch.
  • General security hygiene. Plain HTTP exposes everything in transit to network observers and tampering — credentials, session cookies, form contents. Once you are on HTTPS, related hardening becomes meaningful: an HSTS header tells browsers to refuse the HTTP version, and mixed content checks confirm you are not loading insecure scripts or images into an otherwise secure page.
  • Browser and reviewer trust. Modern browsers label HTTP pages "Not secure" in the address bar, and that warning alone undermines a first-time visitor's confidence in a new product.

Serving over HTTPS does not, on its own, prove your data handling satisfies privacy or security law — it is one expected building block, not the whole house.

A concrete example

Suppose your scan settles on this final URL and returns a not-detected result:

final URL: http://shop.example.com/checkout

The page loaded, but on the checkout route the final URL fell back to http://. That usually means an HTTPS-to-HTTP redirect is hiding somewhere — an absolute http:// link in a redirect rule, a hardcoded canonical, or a CDN/origin mismatch. Your homepage might be perfectly secure while the page that handles money is not. After remediation, the same scan reports detected: served over HTTPS (shop.example.com). That is precisely the kind of gap a single-URL signal makes visible.

How to address it

  1. Obtain a certificate. Most hosts (Cloudflare, Netlify, Vercel, Render, managed WordPress) provision a free certificate automatically. If yours does not, issue one with Let's Encrypt or your host's one-click option.
  2. Force HTTPS at the edge. Configure a permanent (301) redirect from http:// to https:// for every route, not just the homepage. On most platforms this is a single "Always use HTTPS" toggle.
  3. Audit redirect chains. Walk the path the detector reported. Make sure no rule, canonical tag, or hardcoded link sends a secure request back to http:// mid-chain.
  4. Cover your subdomains. Ensure www, app, api, and any other subdomain a visitor might hit also serve over HTTPS with valid certificates.
  5. Replace insecure links. Swap any http:// references in templates, env config, and CMS content for https://.
  6. Add HSTS once stable, then re-scan. After every route serves cleanly over HTTPS, set a Strict-Transport-Security header so browsers stop attempting HTTP at all (see the HSTS detector for an effective max-age), then confirm the final URL now begins with https://.

Check this in 30 seconds

Paste your URL into the LaunchTrust free scanner and it reports, in plain language, whether your page's final URL resolved over HTTPS — including the exact URL it landed on if it did not. It is a fast way to catch a stray HTTP redirect on a single route before a reviewer or a visitor does. Pair it with the security headers and mixed content signals for a fuller transport-layer picture.

FAQ

Does serving over HTTPS satisfy my legal obligations? No. HTTPS is one expected building block, and this scan only reports a signal about how your page loaded — it is not legal advice or a certification. Privacy and security rules cover far more than transport encryption (data minimization, consent, retention, deletion, and more), so treat a detected HTTPS signal as one cleared item on a longer list.

The scan says not detected, but my browser shows the padlock. Why? The detector reports the final URL after redirects. If you scanned a specific route — a checkout or login page — that route may redirect to HTTP even though your homepage stays secure. Check the exact URL the scan reported, then audit the redirect rule for that path.

Do I need a paid SSL certificate? Generally no. Free certificates from Let's Encrypt and from most modern hosts provide the same encryption as paid ones. Paid certificates add things like extended validation or warranties, which are optional for most indie launches.

Does the detector check my certificate's expiry or strength? No. This signal only looks at whether the final URL uses the https:// scheme. Certificate validity, cipher suites, and TLS versions are separate concerns it does not evaluate.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.