Your website is marked “Not secure”: why, and how to fix it
A client types your address and their browser shows "Not secure" or a full red warning page. Many will not go further. Here are the causes, from most common to sneakiest — and how to fix them.
In short: "Not secure" = the connection between the visitor and your site is not encrypted (no HTTPS), or your SSL certificate has expired. It is almost always fixable for free at your host. Test your site in 15 seconds — we also check what the browser does not display.
What "Not secure" means
This message appears when your site is served over HTTP instead of HTTPS: everything the visitor types (contact form, contact details) then travels in the clear. Chrome has displayed it since 2018, and it also hurts your search ranking. The full-screen red version ("Your connection is not private") indicates an expired or misconfigured SSL certificate.
The 3 classic causes
No HTTPS at all — the SSL certificate was never enabled at the host. Today it is free (Let's Encrypt) and included with almost every host: a switch to flip in your hosting console.
Expired certificate — certificates normally renew themselves… until the day auto-renewal breaks. Result: a red page for all your visitors, often on a weekend. It is the most common outage — and the most avoidable with monitoring that alerts you 30, 7 and 1 day before the deadline.
HTTPS present, but not forced — your site answers over HTTPS and HTTP: visitors arriving through an old link stay on the unencrypted version. An automatic redirect to HTTPS is needed.
What the browser does not show
The closed padlock does not mean "secure site" — only "encrypted connection". The protections that prevent your visitors from being hijacked or content from being injected (HSTS, CSP, anti-clickjacking…) are invisible in the browser. Our free check verifies them and gives you a score out of 100, like professional tools, but explained in plain language.
How to fix it, concretely
Run the free test — it tells you whether the problem is missing HTTPS, the redirect, the certificate (and its expiry date), or the security headers.
Enable the certificate at your host — look for "SSL" or "Let's Encrypt" in your console (or forward the report to your webmaster — there is a button for that in the report).
Force the HTTPS redirect — an option at most hosts, or a few lines of configuration.
Set an expiry alert — free monitoring watches your certificate and domain name, and warns you before your clients see a red page.