Defaults.Exposed › Reports
Why Does My Website Say 'Not Secure'? What the Warning Means for Trust (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.
Your site says “Not Secure” because the browser couldn’t establish a trusted, encrypted connection — either there’s no HTTPS, or the certificate is invalid. It’s more common than you’d think: across 261 million domains, 21.98% serve no HTTPS at all, and of those that do, 8.21% present an expired, mismatched or untrusted certificate. Either way the visitor sees a warning — and a warning at the moment of first impression costs trust, conversions, and search ranking.
What does “Not Secure” actually mean?
Browsers label a page “Not Secure” when data between the visitor and your site travels unprotected, or when the padlock can’t be trusted. Two failure modes:
- No HTTPS at all — 21.98% of domains still serve over plain HTTP, so every page is flagged.
- HTTPS with a broken certificate — among domains that do serve HTTPS, 8.21% have an invalid certificate (expired, self-signed, or for the wrong name), which triggers a full-page warning that’s even scarier than the inline label.
Only 78.02% of all domains serve HTTPS, and a valid certificate on top of that is what clears the warning.
Why it matters beyond the scary label
- Trust at first impression. A warning before your page even loads tells a visitor “this might not be safe.” Many leave.
- Lost conversions. No customer types a card number into a “Not Secure” checkout.
- Search ranking. HTTPS is a confirmed ranking signal; the non-encrypted 21.98% start at a disadvantage.
- Modern features break. Many browser capabilities simply refuse to run without HTTPS.
The encryption itself is largely a solved, free problem — which is what makes the 21.98% gap striking.
How do I fix the “Not Secure” warning?
- Get a certificate — free from Let’s Encrypt; most hosts and CDNs issue one automatically.
- Serve HTTPS and redirect — force all HTTP traffic to the HTTPS version. See fix HTTPS.
- Keep the certificate valid — automate renewal so you never join the 8.21% with an expired cert. See fix certificate errors.
- Add HSTS — tell browsers to always use HTTPS. Only 22.91% of HTTPS sites do. See fix HSTS.
Frequently asked questions
Why does my website say “Not Secure” in Chrome? Because the page isn’t served over valid HTTPS — either there’s no HTTPS (21.98% of domains) or the certificate is invalid (8.21% of HTTPS sites). Chrome flags both.
Is “Not Secure” bad for SEO? Yes. HTTPS is a Google ranking signal and the warning hurts trust and conversions, so it compounds.
Is fixing it expensive? No. TLS certificates are free (Let’s Encrypt) and most hosts automate them. It’s a configuration task, not a purchase.
My certificate “expired” — what happened? Certificates are short-lived by design and must auto-renew. When renewal fails, the site shows a warning. Automating renewal prevents it.
Check your site’s HTTPS and certificate free
See whether visitors get a warning — and exactly what to fix — privately and owner-only.
Check your domain → · Fix HTTPS → · Fix certificate errors → · How we grade → · Aggregate data only. Data stored and processed in the EU.