Fix-it guide
Serve your site over HTTPS
HTTPS is the padlock icon in the browser address bar, it means the connection between visitors and your server is encrypted with a TLS certificate.
What it is
HTTPS is the padlock icon in the browser address bar, it means the connection between visitors and your server is encrypted with a TLS certificate. Google has used HTTPS as a ranking signal since 2014, and Chrome now flags non-HTTPS sites as "Not Secure" right in the URL bar.
Why it matters
A site without HTTPS loses rankings AND visibly scares off customers, Chrome's "Not Secure" warning shows next to your URL on every page load. Modern browsers also disable many features (autoplay, geolocation, service workers) for non-HTTPS sites. There is no scenario in 2026 where staying on HTTP is the right call.
How to fix it
Get a TLS certificate
Most modern hosts (Vercel, Netlify, Cloudflare, AWS Amplify, WP Engine, SiteGround) provision a free Let's Encrypt certificate automatically as soon as you point a domain at them. If yours does not, install Let's Encrypt via Certbot, or put Cloudflare in front of your site.
Configure your server to listen on port 443
On Nginx or Apache, enable the HTTPS server block. On managed hosts, this is usually a one-click toggle in the dashboard. Confirm https://yourdomain.com loads cleanly with the padlock.
Redirect HTTP to HTTPS permanently
Every HTTP request should 301-redirect to HTTPS. This is critical for SEO, the 301 tells Google "the new address is HTTPS, transfer all ranking authority."
# Nginx: redirect HTTP to HTTPS server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; }Add HSTS for belt-and-suspenders security
The Strict-Transport-Security header tells browsers "never even attempt HTTP for this domain." Add this once you are confident HTTPS is solid.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;Fix mixed content
After switching, every internal link, script, image, and stylesheet must also use HTTPS. Browsers will block mixed content (HTTPS page loading an HTTP script). Use Chrome DevTools > Console to find any warnings, then update the URLs to https:// or protocol-relative //.
Update Search Console and analytics
Add the HTTPS version of your site as a new property in Google Search Console. Update GA4 default URLs. Tell Google about the migration via "Change of Address" if you also changed the domain.
How to verify the fix
Visit your site, the URL should show https:// with a padlock and no warnings. Try the HTTP version (http://example.com), it should 301-redirect to HTTPS. Run a test on SSLLabs.com, aim for an A grade.
Further reading
Confirm the fix
Run a fresh audit to make sure the issue is gone.
We’ll re-grade every category and confirm this issue is no longer firing.
Run a fresh audit