diff --git a/values.yaml b/values.yaml
index b750519..f0dc2f5 100644
--- a/values.yaml
+++ b/values.yaml
@@ -115,6 +115,18 @@ traefik:
   enabled: true
   service:
     type: LoadBalancer
+  # Platform-level HTTP → HTTPS redirect. Without this, browsers that
+  # default to http:// on a bare hostname hit Traefik's `web`
+  # entrypoint with no matching IngressRoute and get the built-in
+  # "404 page not found". Enabling redirectTo at the entrypoint makes
+  # every TCP-80 request bounce to TCP-443 with a 301 — applies
+  # uniformly to all IngressRoutes on this cluster, no per-instance
+  # Middleware or duplicate IngressRoute needed.
+  ports:
+    web:
+      redirectTo:
+        port: websecure
+        priority: 10
 
 # secrets — Tower applies these out-of-band via the registered
 # kubeconfig at Connect time (B2). The chart references them by