Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Shipping securely on a budget

My website says "Not Secure" — what it means and how to fix it

July 18, 2026·5 min read
An unlocked padlock in low light — a site served without a private, secure connection.

There's a "Not secure" label next to your website's address in the browser, and it looks alarming — like your site's been hacked. It usually hasn't. It almost always means one specific thing: your site isn't using a secure (HTTPS) connection properly, and that's fixable.

Let's translate what the browser is actually telling you, and sort out which of a few common causes is yours.

What "Not secure" really means

Every modern browser marks a site "Not secure" when the connection isn't encrypted with HTTPS — the padlock version of your address. It's not a virus warning or a hack alert. It's the browser saying "anything typed here could be seen by someone in between," which is why it looks scary on a page with a login or a form.

"Not secure" is about the connection, not your content. The browser isn't saying your site is malicious — it's saying the link between the visitor and your site isn't private. That distinction is the whole fix.

The usual causes, plainest first

  1. Your site has no HTTPS certificate at all. The most common case for a new or DIY site. It was only ever set up on http://, so there's nothing to make it secure. The fix is to add a certificate — most hosts offer a free one (via Let's Encrypt) with a click or a toggle.
  2. You have HTTPS, but visitors land on the http version. The secure version exists, but your site doesn't redirect people to it, so they see the insecure one. The fix is a setting that forces all traffic to https://.
  3. Mixed content. The page itself is secure, but it loads an image, script, or font over insecure http://, which downgrades the whole padlock. The fix is updating those links to https://.
  4. The certificate expired. If it worked before and suddenly stopped — often with a full red warning rather than a small label — the certificate likely lapsed. That's a different, more urgent problem: website down from an expired SSL certificate.

Check your certificate

Not sure whether you have a certificate or when it expires? This tells you in seconds, in plain terms:

free tool · no loginSSL expiry checkPaste your web address and see whether it has a valid certificate and when it expires — no login, plain results.

Why it's worth fixing today

Beyond the scary label, "Not secure" costs you real things: visitors bounce when they see it, search engines prefer secure sites, and some browsers block forms on insecure pages entirely. It's also one line on the wider launch security checklist every site should clear.

Once it's fixed, keep it fixed

HTTPS isn't set-and-forget — certificates expire and renewals sometimes fail quietly, which drops you right back to a warning (a worse one). Watching the certificate from outside means you get an email days before it lapses, instead of a customer telling you the site "looks broken."

Get the padlock — and keep it.

Join Tell Me When Down free and we'll watch your certificate from outside your site. If it's about to expire or a renewal quietly fails, you get a plain-English email days ahead — not a scary browser warning your visitors find first.

Watch my sitefree · no card required
more on shipping securely on a budget
The website launch security checklist nobody hands youYou get a deploy button, not a checklist — so most sites launch with the cert valid and nothing else checked. The four things to test from your URL in seconds, plus the code-side items that cost the most.Website down from an expired SSL certificateAn expired certificate is a full outage — every visitor hits a red warning, though the server's fine. Here's why auto-renewal still fails silently, why shrinking cert lifetimes make it likelier, and how to see it coming.What are security headers? A plain-English guideSecurity headers tell the browser how to behave safely — refuse HTTP, block framing, don't guess file types. Here's what each of the ones that matter actually does, and why almost every new site ships without them.How to add security headers in Next.js (including CSP)Next.js sends no security headers by default. The static ones are a config block; the hard part is a CSP that helps without blocking your own scripts. Here's the nonce approach, the report-only trick, and the version caveat.SSL certificate expiry monitoring: why the calendar reminder failsA calendar reminder assumes your renewal works. But auto-renewal is a background job that fails silently, and cert lifetimes are dropping to 47 days by 2029. Here's why manual SSL tracking breaks, and what to monitor instead.Secure, HttpOnly, SameSite: the cookie flags that matterThree small flags — Secure, HttpOnly, SameSite — decide whether your session cookie is a locked token or the easiest thing to steal on your site. Here's what each closes, and how to check which your cookies set.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com