Help: redirect-to-https
Not logged in

The "redirect-to-https" setting:

Specifies whether or not to redirect unencrypted "http://" requests to encrypted "https://" URIs. A value of 0 (the default) means do not redirect, 1 means to redirect only the /login page, and 2 means to always redirect.

For security, a value of 2 is recommended. The default value is 0 because not all sites are TLS-capable. But you should definitely enable TLS and change this setting to 2 for all public-facing repositories.