The summary incorrectly describes what’s happening, sadly. From the report, http redirects being default is an attack surface they identified as needing a solution, not a suggested action.