Back to Linter
Errorsecurity

SSL/TLS Disabled

Why HTTPS is required for modern web servers and how to enable it with Nginx.

What This Rule Checks

This rule detects when your server is listening on port 80 without SSL/TLS encryption configured.

Why It Matters

Without SSL/TLS, all traffic between users and your server is transmitted in plain text. This includes passwords, cookies, and sensitive data. HTTPS is also required for HTTP/2, and search engines boost rankings for HTTPS sites.

Bad — Triggers this rule

server {
    listen 80;
    server_name example.com;
    root /var/www/html;
}

Good — Passes this rule

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

How to Fix

Enable SSL in Configen's SSL/TLS section and provide your certificate paths. Use Let's Encrypt for free certificates with `certbot`.

Related Rules

security-ssl-protocols-outdatedsecurity-basic-auth-no-ssl

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →