Missing HTTPS | Blue Frog Docs

Missing HTTPS

Diagnose and fix missing HTTPS to eliminate 'Not Secure' warnings and protect user data

Missing HTTPS

What This Means

Missing HTTPS occurs when your website is served over an unencrypted HTTP connection instead of a secure HTTPS connection. Modern browsers mark HTTP sites as "Not Secure," warning users that their data could be intercepted by attackers.

HTTPS vs HTTP

HTTP (HyperText Transfer Protocol):

  • Unencrypted connection
  • Data transmitted in plain text
  • Vulnerable to interception
  • Browsers show "Not Secure" warning

HTTPS (HTTP Secure):

  • Encrypted connection (TLS/SSL)
  • Data encrypted in transit
  • Protects against eavesdropping
  • Browsers show padlock icon

Impact on Your Business

User Trust:

  • 90% of users won't proceed past "Not Secure" warnings
  • Immediate credibility damage
  • Users abandon forms and purchases
  • Professional appearance requires HTTPS

Security Risks:

  • Login credentials transmitted in plain text
  • Payment information exposed
  • Session cookies vulnerable to theft
  • Man-in-the-middle attacks possible
  • User data exposed to ISPs and attackers

SEO Impact:

  • HTTPS is a confirmed Google ranking factor
  • HTTP sites rank lower than HTTPS competitors
  • Chrome marks HTTP as "Not Secure" in search results
  • Lower click-through rates from search

Conversion Rates:

  • "Not Secure" warnings reduce conversions by 85%+
  • Cart abandonment increases dramatically
  • Form submissions decline
  • Users won't enter payment information

Compliance:

  • PCI DSS requires HTTPS for payment processing
  • GDPR requires secure data transmission
  • Many regulations mandate encryption
  • Potential fines and liability

How to Diagnose

Method 1: Check Browser Address Bar

  1. Visit your website
  2. Look at address bar
  3. Check for:
    • http:// prefix (insecure)
    • "Not Secure" label
    • No padlock icon

What to Look For:

  • HTTP instead of HTTPS
  • Browser warning symbols
  • Missing security indicators

Method 2: SSL Checker Tools

  1. Visit SSL Labs SSL Test
  2. Enter your domain name
  3. Click "Submit"
  4. Review results

What to Look For:

  • "Certificate not valid for domain name"
  • "No certificate found"
  • Error messages
  • Grade of F (no HTTPS)

Method 3: Manual URL Test

  1. Try accessing both versions:

    http://www.example.com
https://www.example.com

  2. Check which works:

    • HTTPS shows certificate error = Certificate issue
    • HTTPS doesn't load = No HTTPS configured
    • Both load without redirect = No redirect configured

What to Look For:

  • HTTPS version not loading
  • Certificate errors
  • No automatic redirect to HTTPS
  • Both HTTP and HTTPS accessible

Method 4: Google Search Console

  1. Log into Google Search Console
  2. Check property URL
  3. Navigate to "Security Issues" section
  4. Review any warnings

What to Look For:

  • Property registered as HTTP
  • Security warnings
  • Recommendations to migrate to HTTPS

General Fixes

Fix 1: Install SSL Certificate

Get and install SSL certificate:

  1. Choose certificate provider:

    Free Options:

    • Let's Encrypt (recommended)
      • Free, automated SSL certificates
      • 90-day validity (auto-renews)
      • Trusted by all browsers
      • Most hosting providers support it

    Paid Options:

    • Sectigo, DigiCert, GoDaddy, Namecheap
    • Extended validation (EV) certificates available
    • Longer validity periods
    • Additional features/support

  2. Installation methods:

    Method A: Hosting Provider (Easiest):

    • Most hosts offer free SSL (Let's Encrypt)
    • Enable in hosting control panel (cPanel, Plesk)
    • One-click installation
    • Automatic renewal

    Method B: Let's Encrypt with Certbot:

    # Install Certbot
sudo apt-get install certbot python3-certbot-nginx

# Get certificate (Nginx)
sudo certbot --nginx -d example.com -d www.example.com

# Or for Apache
sudo certbot --apache -d example.com -d www.example.com

# Test auto-renewal
sudo certbot renew --dry-run

    Method C: Manual Installation:

    • Purchase SSL certificate
    • Generate CSR (Certificate Signing Request)
    • Submit to certificate authority
    • Download certificate files
    • Install on server
    • Configure web server

  3. Verify installation:

    # Check certificate
openssl s_client -connect example.com:443 -servername example.com

Fix 2: Configure Server to Use HTTPS

Enable HTTPS in web server:

  1. Nginx configuration:

    server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Your site configuration
    root /var/www/html;
    index index.html;
}

  2. Apache configuration:

    <VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

    # Modern SSL configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5

    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

  3. Test configuration:

    # Nginx
sudo nginx -t
sudo systemctl reload nginx

# Apache
sudo apachectl configtest
sudo systemctl reload apache2

Fix 3: Redirect HTTP to HTTPS

Force all traffic to HTTPS:

  1. Nginx redirect:

    # Redirect all HTTP to HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

  2. Apache redirect (.htaccess):

    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  3. Alternative Apache redirect:

    <VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

  4. Cloudflare redirect:

    • DashboardSSL/TLS → Edge Certificates
    • Enable "Always Use HTTPS"
    • Automatic 301 redirects

Change HTTP URLs to HTTPS:

  1. Search and replace in database:

    -- WordPress example
UPDATE wp_posts
SET post_content = REPLACE(post_content, 'http://example.com', 'https://example.com');

UPDATE wp_options
SET option_value = REPLACE(option_value, 'http://example.com', 'https://example.com')
WHERE option_name = 'home' OR option_name = 'siteurl';

  2. WordPress plugin method:

    • Install "Better Search Replace" plugin
    • Search for: http://yoursite.com
    • Replace with: https://yoursite.com
    • Run on all tables

  3. Update hardcoded URLs:

    <!-- Find and replace in all files -->
http://yoursite.com → https://yoursite.com

  4. Use relative URLs going forward:

    <!-- Instead of absolute URLs -->
<img src="https://example.com/image.jpg">

<!-- Use relative URLs -->
<img src="/images/image.jpg">

Fix 5: Update External References

Update references to your site:

  1. Social media profiles:

    • Facebook page URL
    • Twitter profile link
    • LinkedIn company page
    • Instagram bio link
    • Update all to HTTPS

  2. Business listings:

  3. Backlinks (where possible):

    • Contact sites linking to HTTP version
    • Request update to HTTPS
    • High-value backlinks especially

  4. Email signatures:

    • Update website links
    • Email templates
    • Marketing emails

Fix 6: Update Google Search Console

Add HTTPS property:

  1. Add new property:

    • Go to Search Console
    • Add new property: https://www.example.com
    • Verify ownership

  2. Submit HTTPS sitemap:

    • Generate new sitemap with HTTPS URLs
    • Submit to Search Console
    • Remove old HTTP sitemap

  3. Monitor migration:

    • Check index coverage
    • Monitor traffic transition
    • Review for any errors

  4. Update robots.txt:

    User-agent: *
Sitemap: https://www.example.com/sitemap.xml

Fix 7: Enable HSTS

Force browsers to use HTTPS:

  1. Add HSTS header:

    # Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  2. What HSTS does:

    • Tells browsers to always use HTTPS
    • Prevents users from accessing HTTP version
    • Protects against downgrade attacks
    • Applies to all subdomains (with includeSubDomains)

  3. Preload HSTS:

    • Submit to HSTS Preload List
    • Browsers will always use HTTPS
    • Even on first visit
    • Cannot be easily undone

  4. Test HSTS:

    curl -I https://example.com | grep -i strict

Platform-Specific Guides

Detailed implementation instructions for your specific platform:

Platform Troubleshooting Guide
Shopify Shopify HTTPS Guide
WordPress WordPress HTTPS Guide
Wix Wix HTTPS Guide
Squarespace Squarespace HTTPS Guide
Webflow Webflow HTTPS Guide

Verification

After enabling HTTPS:

  1. Check SSL Labs:

    • Run SSL test
    • Should get A or A+ grade
    • Verify certificate valid
    • Check protocol versions

  2. Test all pages:

    • Homepage loads over HTTPS
    • Internal pages use HTTPS
    • Forms submit over HTTPS
    • Checkout process (if applicable)

  3. Verify redirects:

    curl -I http://example.com
# Should show: HTTP/1.1 301 Moved Permanently
# Location: https://example.com/

curl -I http://www.example.com
# Should redirect to HTTPS version

  4. Check browser indicators:

    • Padlock icon appears
    • No "Not Secure" warnings
    • Certificate info shows correct domain
    • Valid and trusted

  5. Monitor Search Console:

    • Watch HTTPS property index coverage
    • Monitor for errors
    • Check traffic levels
    • Verify sitemap processed

Common Mistakes

  1. No redirect from HTTP to HTTPS - Both versions accessible
  2. Mixed content issues - HTTPS page loads HTTP resources
  3. Not updating internal links - Still linking to HTTP
  4. Certificate doesn't cover www - Need both example.com and www.example.com
  5. Certificate expired - Set up auto-renewal
  6. Not updating Search Console - Old HTTP property still active
  7. Breaking canonical tags - Update to HTTPS
  8. Forgetting sitemap - Still references HTTP URLs
  9. Not testing checkout/forms - Critical functionality broken
  10. Weak SSL configuration - Using outdated TLS versions

HTTPS Migration Checklist

Pre-Migration:

  • Backup website and database
  • Document current setup
  • Test in staging environment
  • Plan migration timing

SSL Installation:

  • SSL certificate obtained
  • Certificate covers all domains/subdomains
  • Certificate installed on server
  • HTTPS configured in web server
  • Certificate validates successfully

Redirects:

  • HTTP to HTTPS redirect (301)
  • www to non-www (or vice versa)
  • Redirect chains eliminated
  • All redirects tested

Content Updates:

  • Internal links updated to HTTPS
  • Database URLs updated
  • Canonical tags updated
  • Sitemap uses HTTPS URLs
  • Robots.txt updated

External Updates:

  • Google Search Console property added
  • HTTPS sitemap submitted
  • Analytics tracking updated
  • Social media profiles updated
  • Business listings updated

Security:

  • HSTS header enabled
  • Modern TLS protocols only
  • Strong cipher suites configured
  • No mixed content warnings

Testing:

  • SSL Labs test (A or A+ grade)
  • All pages load over HTTPS
  • Forms and checkout work
  • No browser warnings
  • Mobile version tested

Monitoring:

  • Search Console for errors
  • Analytics traffic levels
  • Certificate expiration monitoring
  • Auto-renewal configured

Additional Resources

↑ Back to top
// SYS.FOOTER