Why Browsers Still Say "Not Secure" After SSL is Installed
After installing an SSL certificate, the expectation is simple: a professional padlock icon and a secure connection. However, many website owners are met with frustration when browsers continue to display the "Not Secure" warning despite having HTTPS enabled.
If you're facing this, don't worry - the certificate itself is rarely faulty. Normally, this warning points to a configuration issue, a content error, or a trust gap elsewhere in the SSL stack. This guide will walk you through the most common causes and how to fix them.
What "Not Secure" Actually Means
When a browser flags a site, it is communicating that it cannot confirm 100% safety. This usually happens for one of three reasons:
- The connection is not fully encrypted (Mixed Content).
- The certificate is misconfigured or has a name mismatch.
- The chain of trust back to the root CA is broken.
1. Mixed Content (The #1 Culprit)
Mixed content occurs when your site loads over HTTPS, but some elements (like images, scripts, or fonts) are still being requested over an insecure HTTP connection. This compromises the security of the entire page.
Fix: Open your browser console (F12) to identify the specific HTTP requests. Update these URLs to HTTPS, use relative paths where possible, and implement 'HTTPS rewrite rules' on your server or CDN.
2. Incomplete SSL Certificate Chain
Many servers only provide the domain certificate and forget to include the intermediate certificates provided by the CA. Without these, older browsers and mobile devices cannot trace the trust back to a root authority.
Fix: Ensure you install the full CA bundle (Leaf + Intermediates). You can verify your chain order using our diagnostic tools.
3. Certificate Name Mismatch
This happens when the certificate doesn't cover the specific domain you're accessing. For example, a
certificate issued for www.example.com might not cover example.com if not
explicitly included in the SAN (Subject Alternative Names).
Fix: Re-issue your certificate to include all necessary aliases or use a wildcard certificate to cover subdomains.
4. HTTP to HTTPS Redirection Missing
Even if SSL is perfectly installed, visitors might still land on the unencrypted HTTP version of your site if you haven't forced a redirect. Browsers will rightfully warn users that their data is at risk.
Fix: Apply a global 301 redirect from HTTP to HTTPS in your .htaccess
or server configuration file.
- Full chain installed
- No mixed content
- Correct domain coverage
- HTTPS redirection enabled
- Strong TLS protocols
- Non-expired certificate
5. Expired SSL Certificate
This is one of the most overlooked causes. SSL certificates expire after a defined validity period (typically 1-2 years). Browsers will always flag an expired certificate as "Not Secure," regardless of whether the connection itself is encrypted. Always monitor expiration dates and renew in advance, ideally 30 days before the certificate expires.
6. HTTP Links in Your HTML Source Code
Even if SSL is configured correctly, your HTML source code might contain hardcoded HTTP links to images, stylesheets, or JavaScript files. Browsers scan every resource request on a page, and a single one from an insecure source is enough to trigger the mixed content warning. Use browser developer tools (Network tab, filtered by type) to systematically identify and fix every offending URL.
7. Third-Party Embedded Content
External widgets, social media embeds, advertising networks, and analytics toolkits can all load over HTTP if they are outdated. While you cannot control third-party code directly, you can use the upgrade-insecure-requests directive in your Content Security Policy (CSP) header to instruct the browser to automatically upgrade all HTTP requests to HTTPS. This is a powerful defensive technique for content you do not fully control.
8. Strict Transport Security (HSTS) Not Configured
HSTS tells browsers to always use HTTPS when connecting to your domain, for a defined period. Without HSTS, a user who manually types http://yourdomain.com will have an initial unencrypted connection before being redirected. This window of vulnerability can be used by attackers for a "SSL stripping" attack. Correctly configuring HSTS eliminates this risk entirely. Note: test HSTS in a staging environment first, as removing it incorrectly can make your site inaccessible.
Frequently Asked Questions
How do I find mixed content on my site?
Open your browser's developer tools (F12), go to the Console tab, and look for messages about "Mixed Content" or insecure requests. All offending URLs will be listed there.
Is a padlock always a sign of a safe site?
Not exactly. A padlock means the connection is encrypted, but not that the site itself is trustworthy or free of malware. Always verify the domain you are visiting.
How long does it take for the padlock to appear after fixing issues?
As soon as you fix the underlying issue and do a hard refresh (Ctrl+Shift+R), the browser will re-evaluate and the padlock should appear immediately.
9. Cache and Preloaded HSTS
Your browser may have cached an HSTS policy for a domain. If you roll back HTTPS on a subdomain or test environment, the cached HSTS policy can cause confusing "Not Secure" loops or refused connections. Always clear your browser cache and test in an incognito window when troubleshooting SSL issues. Flushing the HSTS cache in Chrome can be done at chrome://net-internals/#hsts.
Conclusion
An alert doesn't necessarily mean your site is compromised; it means the browser needs more evidence that the connection is fully secure. By following this structured troubleshooting approach, you can eliminate configuration gaps, restore the padlock icon, and ensure a safe experience for your users.
Diagnose Your Warning Instantly
Don't guess why your site says "Not Secure." Use our free SSL Checker to pinpoint the exact issue in seconds.
Check My Site SecurityNeed to check your SSL?
Try our free TLS Scanner to audit your website's security, or use the CSR Decoder to verify your certificate requests.