BlackSheep could you share the report url you are talking about ? I don't see any recent report matching your description.
Maybe you're talking about the HSTS flag being red ? You should serve the HSTS header along with a redirect when redirecting away from an HTTPS page, this will secure the domain even if it is different than your canonical domain.
I see multiple reports of website having messy redirects. Based on my knowledge the most secure way of redirecting is the following:
- If the url is http, redirect to same page on https and apply HSTS header
- Only then, if the url is using wrong domain, redirect to same page/homepage on canonical domain (and HTTPS)
Redirecting to another domain right away when on HTTP prevents using HSTS and therefore typing the same address or following the same link again in the future might expose the user to MITM.
Redirecting to an HTTP page from an HTTPS page is also very bad practice, in particular if it's on a different domain where the HSTS header is likely not yet applied.