You've seen the padlock icon next to a website's address, and the warning when it's missing: "Not Secure." Behind that small icon is HTTPS — and it's one of the most important, most misunderstood parts of running a website. Here's what it actually does and how to make sure yours is correct.
What is HTTPS (and SSL/TLS)?
HTTPS is the secure version of HTTP, the protocol your browser uses to talk to websites. The "S" comes from SSL/TLS — the technology that encrypts the connection. (SSL is the old name; modern certificates actually use TLS, but everyone still says "SSL.")
When a site uses HTTPS, everything exchanged between the visitor's browser and the server is encrypted, so nobody in between can read or tamper with it. The certificate also verifies the site is who it claims to be.
Why your website needs it
- Security. Without HTTPS, passwords, payment details and form data travel in plain text — readable by anyone on the network (public Wi-Fi, ISPs, attackers).
- Trust. Browsers label HTTP sites "Not Secure." That warning alone drives visitors away before they read a word.
- SEO. HTTPS is a confirmed Google ranking signal. All else equal, the secure site wins.
- Features. Many modern browser capabilities (geolocation, service workers, HTTP/2) simply won't work without HTTPS.
HTTPS is no longer optional. It's the baseline cost of being online — and the good news is it's free to get.
How to get HTTPS
- Get a certificate. Free certificates from Let's Encrypt provide the same encryption as paid ones and are perfect for most sites. Most hosts offer one-click SSL.
- Install it on your server (often automatic with modern hosting).
- Force HTTPS — redirect all HTTP traffic to HTTPS with a 301 so the insecure version never serves.
- Fix mixed content — make sure every image, script and style loads over HTTPS too, or browsers flag the page.
- Add HSTS — a header that tells browsers to always use HTTPS for your domain, closing the gap on the very first visit.
The most common SSL mistakes
| Mistake | What happens |
|---|---|
| Expired certificate | Browsers show a full-page scary warning; traffic collapses. |
| No forced redirect | Both HTTP and HTTPS versions exist — duplicate content + insecure access. |
| Mixed content | HTTPS page loading HTTP assets → "Not fully secure" warning. |
| Incomplete chain | Missing intermediate certificate → fails in some browsers, not others. |
| Wrong domain coverage | Certificate covers example.com but not www.example.com (or vice-versa). |
Don't let it expire
The single most common SSL outage is a forgotten renewal. Free certificates often last just 90 days. Use auto-renewal where possible, and check your certificate periodically — an expired cert can take your site effectively offline for cautious visitors within hours.
Check your SSL in seconds
Want to verify your certificate's validity, expiry, issuer and chain right now? Use our free SSL certificate checker on any URL. For the bigger picture, the website security checker tests your HTTPS enforcement and security headers together — and siteIQ rolls it all into one audit. Security headers are covered in depth in our technical SEO checklist.