Protocol-Downgrade Redirect (HTTPS to HTTP)

What’s actually happening

You request https://example.com and land on http://example.com with the 'Not secure' label and no padlock. Sometimes it loops instead: the downgrade rule sends to http, an edge/HSTS rule forces back to https, and the two ping-pong into ERR_TOO_MANY_REDIRECTS. Google Search Console starts reporting the http URL as canonical.

Common causes

• CMS site URL saved as http:// (WordPress siteurl/home, Magento base_url), so generated links and canonical redirects strip TLS.
• A leftover .htaccess or Nginx rule redirecting https back to http after a migration was reverted halfway.
• Cloudflare/CDN redirect rule or Page Rule that rewrites scheme to http for a path or hostname.
• App reads X-Forwarded-Proto wrong and 'corrects' https requests down to http (mirror of the proxy loop bug).
• Mixed canonical config: HTML <link rel=canonical> points to http while the server serves https.

How to fix it

1. Trace the downgradecurl -sIL https://example.com and look for a 301/302 whose Location starts with http://. Note the emitting layer (Server header, CF-Ray) so you fix the right place.
2. Correct the site/base URLSet the canonical URL to https. WordPress: update siteurl and home (wp-config WP_HOME/WP_SITEURL or the DB). Magento: secure/unsecure base_url to https://. Then flush caches.
3. Remove the down-rewrite and force up insteadDelete any rule that targets http:// as a destination. Replace with a single canonical redirect to https and add HSTS (Strict-Transport-Security: max-age=31536000; includeSubDomains) so browsers refuse the downgrade.
4. Fix forwarded-proto handling if it loopsIf a force-HTTPS layer fights the downgrade, make the app read X-Forwarded-Proto correctly so only true http requests get upgraded — see the proxy loop entry.