Why Your Site Shows "Not Secure" (and How to Fix HTTPS)

That "Not Secure" label scares users away. Here's what triggers it and the usual fixes to get the padlock back.

BytExplorer 6 min read June 28, 2026

Your site loads, but the browser stamps "Not Secure" next to the address — and visitors notice. It means the connection isn't properly protected by HTTPS. A handful of issues cause it, and each has a clear fix.

Cause 1: No certificate at all (plain HTTP)

If you're serving over plain http://, there's no encryption, and modern browsers flag every such site. The fix is to get a TLS certificate and serve over https://. Free, automated certificates from Let's Encrypt are the standard solution and renew themselves.

Cause 2: Certificate expired

Certificates have an expiry date. If yours lapsed, the browser distrusts the connection even though HTTPS is "set up." Check the expiry by clicking the address-bar info, and make sure auto-renewal is actually running — most lapses are a renewal that silently stopped.

Cause 3: Mixed content

The page itself loads over HTTPS, but it pulls in some resources (images, scripts, styles) over plain http://. Browsers consider the whole page only as secure as its weakest link, so they downgrade the indicator. The fix: make every resource load over https:// (or protocol-relative URLs).

A single hardcoded http:// image URL can knock the padlock off an otherwise perfectly secure page. Hunt those down.

Cause 4: Name mismatch

A certificate is issued for specific domain names. If you're visiting a name the certificate doesn't cover (for example the bare domain when the cert only lists www), the browser warns. Make sure the certificate covers every hostname you actually serve.

How to confirm the real reason

Click the "Not Secure" text in the address bar — browsers explain the specific problem (no certificate, expired, mixed content, name mismatch). That message tells you which of the above you're dealing with, so you fix the right thing.

The takeaway

"Not Secure" isn't vague — it's one of a few specific problems: no cert, expired cert, mixed content, or a name mismatch. Read the browser's explanation, address that exact cause, and the padlock comes back.

Put it into practice

Stop reading, start building

This pairs with a hands-on BytExplorer course — do it on your own machine and actually keep the skill.

More in Troubleshooting