The "redirect-to-https" setting:
Specifies whether or not to redirect unencrypted "http://" requests to
encrypted "https://" URIs. A value of 0 (the default) means do not
redirect, 1 means to redirect only the /login page, and 2
means to always redirect.
For security, a value of 2 is recommended. The default value is 0 because not all sites are TLS-capable. But you should definitely enable TLS and change this setting to 2 for all public-facing repositories.