Below from the Sparkle Community, are some suggestions that I read through, but what really needs to be applied?
"Put in Header:
Header set Content-Security-Policy: upgrade-insecure-requests
The one other thing I’ll had (which is also done in your cPanel) is force HTTPS by the function “Domain Redirect”. Although you have attached a SSL Certificate users that input (and even Google can do this) “http://www” or “www” can still rockup to your website with the “this site is insecure” message popping up which just sucks!
So redirect all www and non-www onto https://yourdomain.com
The web address in the general site settings can be changed to have a leading https://.
You also need the non secure site to redirect to the secure site, this varies depending on the web server and is currently not configured in Sparkle also because of that.
For Apache web servers (the most common) you need to create a file named .htaccess in the root of your website, perhaps using the file manager of your web host or a third party FTP application. The file should contain the following:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
This works with any domain name.
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS "
Thanks
