"Not Secure" Warning on Your Website

Last updated April 2026

The "Not Secure" warning in your browser's address bar means your website does not use HTTPS encryption. Any data visitors enter on your site (contact forms, login credentials, payment details) travels in plain text across the network, readable by anyone who intercepts it. Every major browser displays this warning: Chrome, Firefox, Safari, and Edge. Starting October 2026, Chrome will go further and show a full-page blocking warning before loading HTTP sites for all users, not just a label in the address bar.

What this costs your business

Visitors leave

When people see "Not Secure" next to your URL, many leave immediately. Baymard Institute research found that 18% of online shoppers abandon their cart specifically because they did not trust the site with their payment information. The "Not Secure" label is one of the most visible trust signals a browser provides, and it works against you.

An expired or misconfigured certificate is worse. Instead of a small label, browsers show a full-page warning ("Your connection is not private") that blocks access entirely. Most visitors will not click through it.

Search engines penalize it

Google confirmed HTTPS as a ranking signal in 2014. It functions as a baseline requirement: having HTTPS does not guarantee higher rankings, but lacking it means competitors with HTTPS will outrank you when content quality is otherwise equal. HTTPS is grouped into Google's Page Experience ranking system alongside Core Web Vitals and mobile-friendliness.

It is a compliance risk

GDPR Article 32 requires "appropriate technical and organizational measures" to protect personal data, and specifically names encryption as one such measure. A website that collects personal data through contact forms, newsletter signups, or user accounts without HTTPS encryption is at risk of violating this requirement.

In Sweden, IMY has fined organizations for inadequate web security. Region Uppsala received a SEK 1.9 million fine for transmitting sensitive personal data without encryption. The Equality Ombudsman was fined SEK 100,000 after a web form leaked personal data to an analytics processor due to insufficient security measures.

Why the warning appears

The "Not Secure" warning is not always about a missing certificate. Several different issues can trigger it:

No SSL/TLS certificate installed. This is the most common cause. The site runs entirely on HTTP with no encryption. Every major hosting provider now offers free SSL certificates through Let's Encrypt, which holds over 63% of the global certificate market.

Certificate has expired. SSL certificates have a limited lifetime. Let's Encrypt certificates expire every 90 days and require renewal (most hosting providers handle this automatically, but misconfiguration or hosting changes can break the renewal process). An expired certificate triggers a full-page blocking warning, not just the "Not Secure" label.

Mixed content. Your site has HTTPS, but some resources (images, scripts, stylesheets) still load over HTTP. This degrades the security indicator and can cause browsers to block the insecure resources entirely. It commonly happens after installing SSL when internal links and embedded content still reference HTTP URLs.

HTTP-to-HTTPS redirect missing. The certificate is installed, but visitors who type your domain without https:// or follow old links still land on the HTTP version. Without a redirect, they see the unencrypted version of your site and the "Not Secure" warning.

Outdated TLS version. TLS 1.0 and 1.1 are deprecated. Sites still using these versions may trigger warnings or connection failures in modern browsers. TLS 1.2 with strong cipher suites is the minimum; TLS 1.3 is the current recommendation.

What is changing in October 2026

Google announced that Chrome 154 (October 2026) will enable "Always Use Secure Connections" by default for all users. This means Chrome will attempt to connect over HTTPS first and display an interstitial warning page before loading any HTTP site.

This is a significant change from the current behavior. Today, HTTP sites load normally with a small "Not Secure" label. After October 2026, they will show a full-page warning that visitors must actively bypass. For most users, that warning will effectively make the site unreachable.

Chrome already enabled this for Incognito Mode (since Chrome 127 in June 2024) and for users with Enhanced Safe Browsing enabled (Chrome 147, April 2026).

How to check if your site is affected

The scan checks your website's SSL/TLS configuration as part of the security category. It verifies:

• Whether your site uses HTTPS
• Whether your TLS certificate is valid and trusted
• Whether the certificate is approaching expiration (flags certificates expiring within 30 days)
• Which TLS protocol version your server uses (warns on TLS 1.0 and 1.1)
• Whether the HSTS header is set (which tells browsers to always use HTTPS)

If your site has mixed content issues, the scan also detects whether resources are loaded over insecure connections.

For a full overview of the security checks, see our website security guide. For a broader assessment across all six categories, try the free website test.

Check if your website triggers security warnings

Sources

• HTTPS by default - Google Security Blog, October 2025
• HTTPS as a ranking signal - Google Search Central, 2014
• Cart abandonment statistics - Baymard Institute
• GDPR Article 32 - EUR-Lex
• IMY fines and warnings - IMY
• Let's Encrypt - Free SSL certificate authority