Defaults.Exposed

Defaults.Exposed › Reports

Why Does My Website Say 'Not Secure'? What the Warning Means for Trust (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.

Your site says “Not Secure” because the browser couldn’t establish a trusted, encrypted connection — either there’s no HTTPS, or the certificate is invalid. It’s more common than you’d think: across 261 million domains, 21.98% serve no HTTPS at all, and of those that do, 8.21% present an expired, mismatched or untrusted certificate. Either way the visitor sees a warning — and a warning at the moment of first impression costs trust, conversions, and search ranking.

What does “Not Secure” actually mean?

Browsers label a page “Not Secure” when data between the visitor and your site travels unprotected, or when the padlock can’t be trusted. Two failure modes:

Only 78.02% of all domains serve HTTPS, and a valid certificate on top of that is what clears the warning.

Why it matters beyond the scary label

The encryption itself is largely a solved, free problem — which is what makes the 21.98% gap striking.

How do I fix the “Not Secure” warning?

  1. Get a certificate — free from Let’s Encrypt; most hosts and CDNs issue one automatically.
  2. Serve HTTPS and redirect — force all HTTP traffic to the HTTPS version. See fix HTTPS.
  3. Keep the certificate valid — automate renewal so you never join the 8.21% with an expired cert. See fix certificate errors.
  4. Add HSTS — tell browsers to always use HTTPS. Only 22.91% of HTTPS sites do. See fix HSTS.

Frequently asked questions

Why does my website say “Not Secure” in Chrome? Because the page isn’t served over valid HTTPS — either there’s no HTTPS (21.98% of domains) or the certificate is invalid (8.21% of HTTPS sites). Chrome flags both.

Is “Not Secure” bad for SEO? Yes. HTTPS is a Google ranking signal and the warning hurts trust and conversions, so it compounds.

Is fixing it expensive? No. TLS certificates are free (Let’s Encrypt) and most hosts automate them. It’s a configuration task, not a purchase.

My certificate “expired” — what happened? Certificates are short-lived by design and must auto-renew. When renewal fails, the site shows a warning. Automating renewal prevents it.

Check your site’s HTTPS and certificate free

See whether visitors get a warning — and exactly what to fix — privately and owner-only.

Check your domain → · Fix HTTPS → · Fix certificate errors → · How we grade → · Aggregate data only. Data stored and processed in the EU.