← Scan your domain

Why Does Your Website Say "Not Secure"?

Chrome, Firefox, and Safari show "Not Secure" or "Your connection is not private" when something is wrong with your HTTPS configuration. There are several distinct causes - here's how to identify which one applies to you.

Why this happens

critical

SSL certificate expired or invalid

When an SSL certificate expires, browsers show a full-page red warning that blocks most visitors from reaching your site. An invalid certificate (issued for the wrong domain, self-signed, or with a verification error) has the same effect. Certificates need to be renewed - usually every 90 days for Let's Encrypt.

How to Fix an SSL Certificate →
critical

Site doesn't have HTTPS at all

Your site serves content over plain HTTP, meaning all traffic between your server and visitors is unencrypted. Chrome labels every HTTP page as Not Secure. This affects your Google rankings and makes form submissions (logins, signups, payments) unsafe.

How to Enable HTTPS →
high

HTTP doesn't redirect to HTTPS

Your HTTPS works, but typing your URL without https:// doesn't automatically redirect to the secure version. Visitors using an old link or bookmark, or anyone who doesn't explicitly type https://, lands on the insecure version with the Not Secure warning.

How to Force HTTPS Redirect →
high

Mixed content - HTTP resources on an HTTPS page

Your HTTPS page loads images, scripts, or stylesheets over HTTP. Browsers silently block these resources - images don't appear, scripts don't run - and some browsers show a Not Secure warning even though the page itself is HTTPS. This happens when old HTTP URLs are hardcoded in your code.

How to Fix Mixed Content →
medium

HSTS header missing - first visit can be downgraded

Even with HTTPS and a redirect, the very first visit to your site on public WiFi can be intercepted before the redirect happens. The HSTS header tells browsers to always use HTTPS for your domain, eliminating this vulnerability.

How to Add the HSTS Header →

Not sure which of these apply to your domain?
Run a free scan - 26 checks in under 10 seconds.

No signup. No install. Just enter your domain.

Frequently asked questions

Is my site actually dangerous, or is it just a warning?
It depends. No HTTPS means all data in transit (form inputs, logins, cookies) is readable by anyone on the same network. An expired certificate means the security is broken. Mixed content means specific resources are blocked. In all cases, it's worth fixing - the warning actively drives users away and hurts SEO.
I added SSL but the browser still shows Not Secure - why?
Most likely cause: you have HTTPS but some pages still load resources over HTTP (mixed content). Open Chrome DevTools → Console and look for 'Mixed Content' warnings - they'll name the exact HTTP URLs causing the issue. Second cause: your HTTP doesn't redirect to HTTPS, so users landing on http:// still see the warning.
Does 'Not Secure' affect Google rankings?
Yes. Google has used HTTPS as a ranking signal since 2014. Sites without HTTPS rank lower than equivalent HTTPS sites. An expired certificate that fully blocks the site causes rankings to drop quickly as Google can no longer crawl it. Fixing HTTPS won't instantly boost rankings, but it removes an active penalty.
My SSL certificate auto-renews - why did it expire?
Common reasons: your domain's DNS A record was changed so Let's Encrypt can no longer verify domain ownership, your server's certbot cron job stopped running, or a billing issue paused your hosting. Check your hosting dashboard for certificate status and renewal logs.

Fix guides

How to Fix an SSL Certificate How to Enable HTTPS How to Force HTTPS Redirect How to Fix Mixed Content How to Add the HSTS Header

Other common problems

Why Are Your Emails Going to Spam? Why Isn't Your Website Showing in Google? Why Do Your Links Look Bad When Shared? Why Is Your Website Loading Slowly? Why Is Your Website Broken on Mobile? Why Are Your Secrets or API Keys Exposed? Why Doesn't www.yourdomain.com Work? Why Do Your Broken Links Show a Bare Error Page?