HTTPS Primary Enforcement

HTTPS Primary Enforcement is the smallest scored web check (4 pts) and the most narrowly defined: it rewards your hosts for serving HTTPS as the first successful response when probed. In practice this means HTTP-to-HTTPS redirects work, or HTTP is closed entirely. It is the companion check to HTTPS Consistency in Infrastructure Hygiene. That one asks if HTTPS works at all; this one asks if HTTPS is the default landing experience.

The fix is the same as HTTPS Consistency: enable HTTPS on every host, then redirect HTTP traffic to HTTPS. See the HTTPS Consistency guide for per-platform setup.

How the check works

RedScore probes each target host once per scan. Each probe records whether the first successful response came back over HTTPS or HTTP. The score is https_primary_ratio = (HTTPS-first probes) / (total successful probes). The check uses the first successful response so a 301 from HTTP to HTTPS (good) and an HTTPS-only host that refuses HTTP (also good) both score the same.

How the verdict maps to evidence

• Pass (low): https_primary_ratio = 1.0. Every reachable host's first successful response was HTTPS.
• Warn (medium): ratio between 0 and 1.0. Some hosts land on HTTPS first, others on HTTP.
• Fail (high): ratio = 0.0. No host's first successful response was HTTPS.

Special states

• Inconclusive: no hosts could be probed at all (no DNS, no fallback). Returns no score.
• Inconclusive: every probe attempt failed inconclusively (WAF blocks, transport failures). Returns no score; investigate Web Assessability first.

Fail or warn: enable HTTPS and redirect HTTP

The fix lines up with HTTPS Consistency. Three things to do per host:

• Enable HTTPS. Most managed platforms and CDNs include free TLS automatically. Self-hosted: certbot, Caddy, or Traefik handle Let's Encrypt issuance and renewal.
• Configure HTTP-to-HTTPS redirects. Web server config (nginx, Apache) or a CDN page rule sends 301s from http://yourhost to https://yourhost. See HTTPS Consistency for ready-to-paste nginx and Apache snippets.
• Optionally close port 80 once redirects are confirmed working. Most operators leave 80 open with the redirect because old links and bookmarks still arrive on HTTP.

Verify the fix

• For each host: curl -ILs http://yourhost should return a 301 or 302 to https://yourhost. The -L flag follows the redirect; -I -L together shows both responses in order.
• curl -sI https://yourhost should return a normal HTTPS response (200, 301, etc.).
• Re-run the RedScore lookup. The verdict moves to pass when every reachable host's first successful response is HTTPS.

Common pitfalls

• Redirecting HTTPS-to-HTTPS but not HTTP-to-HTTPS. The redirect rule must specifically catch port 80 / scheme http and send to scheme https. Mis-scoped rules on the HTTPS listener do not help.
• 302 redirects instead of 301. Both work for the score, but 301 (permanent) is preferred so browsers cache the upgrade. 302 (temporary) keeps trying HTTP every visit.
• Redirect chains (HTTP to www to HTTPS to apex). Each hop is a round-trip. Keep redirects to one hop where possible: http://anyhost direct to https://canonical-host.
• Different hosts with different policies. Apex enforces HTTPS but api.yourdomain.tld serves HTTP. Both count toward the ratio. Apply the same redirect rule on every host.
• Inconclusive treated as Pass. Inconclusive returns no points; the verdict is not pass. If your scan shows Inconclusive here, investigate Web Assessability before assuming everything is fine.