HTTPS SHOULD BE ON REDIRECTs