Fix-it guide

Serve your site over HTTPS

HTTPS is the padlock icon in the browser address bar, it means the connection between visitors and your server is encrypted with a TLS certificate.

Critical impact~1 hourTechnical health

What it is

HTTPS is the padlock icon in the browser address bar, it means the connection between visitors and your server is encrypted with a TLS certificate. Google has used HTTPS as a ranking signal since 2014, and Chrome now flags non-HTTPS sites as "Not Secure" right in the URL bar.

Why it matters

A site without HTTPS loses rankings AND visibly scares off customers, Chrome's "Not Secure" warning shows next to your URL on every page load. Modern browsers also disable many features (autoplay, geolocation, service workers) for non-HTTPS sites. There is no scenario in 2026 where staying on HTTP is the right call.

How to fix it

  1. Get a TLS certificate

    Most modern hosts (Vercel, Netlify, Cloudflare, AWS Amplify, WP Engine, SiteGround) provision a free Let's Encrypt certificate automatically as soon as you point a domain at them. If yours does not, install Let's Encrypt via Certbot, or put Cloudflare in front of your site.

  2. Configure your server to listen on port 443

    On Nginx or Apache, enable the HTTPS server block. On managed hosts, this is usually a one-click toggle in the dashboard. Confirm https://yourdomain.com loads cleanly with the padlock.

  3. Redirect HTTP to HTTPS permanently

    Every HTTP request should 301-redirect to HTTPS. This is critical for SEO, the 301 tells Google "the new address is HTTPS, transfer all ranking authority."

    # Nginx: redirect HTTP to HTTPS
    server {
      listen 80;
      server_name example.com www.example.com;
      return 301 https://$host$request_uri;
    }
  4. Add HSTS for belt-and-suspenders security

    The Strict-Transport-Security header tells browsers "never even attempt HTTP for this domain." Add this once you are confident HTTPS is solid.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  5. Fix mixed content

    After switching, every internal link, script, image, and stylesheet must also use HTTPS. Browsers will block mixed content (HTTPS page loading an HTTP script). Use Chrome DevTools > Console to find any warnings, then update the URLs to https:// or protocol-relative //.

  6. Update Search Console and analytics

    Add the HTTPS version of your site as a new property in Google Search Console. Update GA4 default URLs. Tell Google about the migration via "Change of Address" if you also changed the domain.

How to verify the fix

Visit your site, the URL should show https:// with a padlock and no warnings. Try the HTTP version (http://example.com), it should 301-redirect to HTTPS. Run a test on SSLLabs.com, aim for an A grade.

Further reading

Confirm the fix

Run a fresh audit to make sure the issue is gone.

We’ll re-grade every category and confirm this issue is no longer firing.

Run a fresh audit