diff --git a/backend/middleware/httpsRedirect.js b/backend/middleware/httpsRedirect.js
new file mode 100644
index 00000000..b3e4ab84
--- /dev/null
+++ b/backend/middleware/httpsRedirect.js
@@ -0,0 +1,10 @@
+const httpsRedirect = (req, res, next) => {
+  if (process.env.NODE_ENV === 'production') {
+    if (req.header('x-forwarded-proto') !== 'https') {
+      return res.redirect(301, `https://${req.header('host')}${req.url}`);
+    }
+  }
+  next();
+};
+
+module.exports = httpsRedirect;
diff --git a/backend/server.js b/backend/server.js
index 48d6ccfb..73218cf7 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -10,9 +10,13 @@ const cors = require('cors');
 require('./config/passportConfig');
 
 const logger = require('./logger');
+const httpsRedirect = require('./middleware/httpsRedirect');
 
 const app = express();
 
+// HTTPS enforcement (must be before other middleware)
+app.use(httpsRedirect);
+
 // CORS configuration
 const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
 app.use(cors({