The padlock in your browser bar? That's HTTPS.
When you visit a site and see a little padlock icon next to the URL, it means the connection between your browser and the server is encrypted. That's HTTPS (HTTP Secure) doing its job.
Without it, your browser shows a "Not Secure" warning — and so does Google. Since 2014, HTTPS has been a confirmed ranking signal. Since 2018, Chrome marks all HTTP pages as "Not Secure." There's really no excuse to still be running HTTP.
What actually happens without HTTPS
Data travels in plain text. Anything users type — passwords, form data, search queries — can be intercepted by anyone on the same network. At a coffee shop Wi-Fi, that's everyone.
Browsers scare visitors away. That "Not Secure" warning kills trust instantly. Conversion rates drop. Bounce rates spike.
You lose ranking power. Google has been very clear: HTTPS is a ranking signal. All else being equal, the HTTPS page wins.
Modern features are blocked. HTTP/2, service workers, geolocation API, and many other browser features require HTTPS. Without it, your site is stuck in the past.
The mixed content trap
Here's a sneaky problem: your site has HTTPS, but some resources (images, scripts, stylesheets) still load over HTTP. That's called mixed content, and it can:
- Trigger browser warnings even on HTTPS pages
- Break functionality if the browser blocks the insecure resources
- Undermine the security HTTPS is supposed to provide
Mixed content is one of the most common HTTPS issues — and one of the easiest to miss.
Common HTTPS problems
| Problem | What happens |
|---|---|
| No SSL certificate at all | Browser shows "Not Secure," users leave |
| Expired certificate | Browser blocks access entirely with a scary warning |
| Mixed content | Some resources load over HTTP, triggering warnings |
| HTTP pages not redirecting to HTTPS | Duplicate content, split link equity |
| Certificate doesn't match domain | Browser rejects the connection |
Getting it right
Install a valid SSL/TLS certificate. Let's Encrypt offers free certificates. Most hosting providers include one.
Redirect all HTTP to HTTPS. Every HTTP URL should 301 redirect to its HTTPS equivalent. No exceptions.
Fix mixed content. Update all internal references (images, scripts, stylesheets) to use HTTPS URLs or protocol-relative paths.
Update your sitemap and canonical tags. Make sure they all point to HTTPS versions.
Check third-party resources. External scripts, fonts, and APIs should all load over HTTPS.
How to audit HTTPS across your site
A single page can look fine, but mixed content and redirect issues often hide deep in the site. An automated audit should:
- Check if every page is served over HTTPS
- Detect mixed content on each page
- Verify HTTP→HTTPS redirects are in place
- Check certificate validity and expiration date
- Flag pages with certificate mismatch errors
Kaitico checks HTTPS status and mixed content for every crawled page, so you can find and fix security issues across your entire site.