This question is best answered with an example:
The domain domain.com is located on the www-subdomain, so it is accessible under https://www.domain.com.
If not specified more concretely, our crawls in Site Experience start at your deposited domain, which in most cases is the root domain, i.e. domain.com (see project setup).
Domain.com and https://www.domain.com are strictly speaking not identical addresses. Domain.com is correctly this URL: http://domain.com.
When our crawler calls domain.com (more precisely http://domain.com) your server forwards this request in two ways:
- http://domain.com >> https://domain.com
- https://domain.com >> https://www.domain.com
The first of the three URLs (http://domain.com) is then the unsafe variant of the domain. If your server redirects it to a secure variant, or if this domain is even redirected to your corresponding subdomain afterwards, this is completely ok and does not represent a risk.
This redirecting chain can then also be looked at in the report on redirect chains (Site Experience > Indexibility > Server Responses)
Summarized: If the crawl starts at the root domain of your website, it will be called once as a non-secure variant and then be correctly forwarded by the server.
Attention: If a page (other than the root domain) has the insecure symbol, then there is probably an insecure link on your page for this URL and this should be fixed!