No Redirection from HTTP to HTTPS
When HTTPS is enabled but, HTTP requests are not redirected to HTTPS automatically, users have to open the HTTPS URL explicitly. Otherwise, communication is not encrypted and can be captured by an attacker who has access to a network interface.
Enforce using HTTPS. You can do it by redirecting any HTTP request to HTTPS using your application or web server configuration. You can also use the Strict-Transport-Security HTTP response header as an extra security defense.