As I mention in a previous comment, if you are using the TOR hidden service (3g2upl4pq6kufc4m.onion/) the redirect goes over a TOR exit node without https. Ideally it should use the hidden service so no exit node is involved, or at the least use HTTPS.