Your 301 HTTP → HTTPS Redirection Isn’t Sufficient Your end-users are still very much susceptible to “man-in-the-middle” attacks which could leave them vulnerable to phishing and eavesdropping (we’re looking at you NSA) attempts. The issue lies within how browsers handle requests that don’t explicity contain a scheme like “https://” — most default to “http://”. When your browser sends a HTTP request to a site that returns a 301 redirection header, the end-user is still connecting to you – even if for just a second – over an unsecured channel.