To protect your web app or API, there is almost only one way at this time: TLS. But users
and browsers don't always use TLS by default. So what you want is to redirect them to a
TLS encrypted version of your site if they try to connect via plain http.