You’re about to click Purchase on those shoes you’ve been eyeing for weeks—credit card details entered, shipping address confirmed. But just as your finger hovers over the button, you spot a tiny “Not Secure” warning in your browser’s address bar.
Your browser isn’t being overprotective. It’s telling you that anything you type is traveling across the internet in plain text, visible to anyone monitoring the connection with basic snooping tools. Heed the warning: A non-secure website doesn’t encrypt data, making it unsafe to enter sensitive information.
Here’s what it looks like when a website is not secure—and what the website maintenance owners can do to make their website secure so site visitors can trust that their data is safe.
What does it mean when a website is flagged as not secure?
A secure website uses HTTPS (Hypertext Transfer Protocol Secure) and an SSL/TLS certificate to encrypt the communication between web browsers and web servers, protecting any private or sensitive data from being intercepted. When a website is marked as not secure, it usually means it’s not using HTTPS.
As a user, you should avoid entering sensitive data, like credit card numbers or addresses, on a non-secure site. If you send your credit card details on a website without encryption, it will be readable to anyone monitoring the data.
As a website owner, running a non-secure site puts users’ data in jeopardy. If your website is not secure, malicious actors can capture user data during a transfer, eroding trust and future sales.
How to tell if a website is secure
It’s easy to tell if a website is secure. If the website URL starts with https://, it’s secure. If it starts with just http:// (without the “s”), it’s not.
Most web browsers also display a padlock icon near the URL. On some browsers, you may need to click on the icon to view security details. For example, Google Chrome on Mac requires a click on the site information icon to reveal the padlock and “Connection is Secure,” while Safari on Mac displays the padlock directly to the left of the URL.

Is it safe to use a “Not Secure” website?
Whether or not it’s safe to use a non-secure site depends on what you’re doing. A URL that starts with http:// doesn’t necessarily mean the site is malicious, but be cautious—especially if the site asks for sensitive information.
If you’re just browsing for general information, like a business address or hours, it’s generally safe to use HTTP sites. If, however, the site requests personal or financial data, it’s not safe to proceed.
Always check for the https:// and the padlock icon before entering any private information.

Free: Shopify Store Trust Checklist
Shopify’s research team conducted a series of in-depth interviews with North American shoppers to learn how customer trust is formed in online stores. This checklist is a summary of their findings, created to help business owners understand what essential aspects of their online store experience creates trust among customers, along with the trust-busting mistakes to avoid.
How to fix a “Not Secure” warning on your website
- Install a secure sockets layer (SSL) certificate on your server
- Make sure all your internal and external links use HTTPS
- Verify your site in Google Search Console
- Ensure that any HTTP URLs are redirected to HTTPS
- Update your XML sitemap
As a website owner, you can fix a “not secure” warning on your site by allowing the HTTPS protocol on your website. Enabling secure connections to your site using a TLS (transport layer security) certificate—sometimes referred to as an SSL (secure sockets layer) certificate—ensures all page data stays private and encrypted. This protects communication between your site and site visitors and delivers content securely over HTTPS rather than HTTP.
Here’s how to fix a “Not Secure” warning on your website:
1. Install a secure sockets layer (SSL) certificate on your server
Purchase an SSL certificate from a trusted certificate authority, like DigiCert, GlobalSign, or Let’s Encrypt (which has free options). You’ll get a .crt or .pem file, an intermediate certificate or CA bundle (.ca-bundle), and—if you generated the certificate signing request (CSR) yourself—a private key.
Upload these files to your server, typically in the following locations, depending on the type of server you’re running:
-
Apache/Linux. /etc/ssl/certs/ and /etc/ssl/private/
-
Nginx. Often in /etc/nginx/
-
cPanel/Plesk. Use the built-in UI
-
Windows/IIS. Use the Microsoft management console (MMC)
Next, edit your virtual host file using Apache or Nginx. DigiCert provides a helpful guide for generating a CSR with OpenSSL and configuring Apache with SSL.
2. Make sure all your internal and external links use HTTPS
Make sure every link on your site uses https://, including internal pages and any outbound links. Review your website’s HTML code to replace all http:// links with https://.
Update external resources like images, scripts, and CSS files that might still reference non-secure URLs. Most web development tools offer a search-and-replace function to help with this, and automated tools like Screaming Frog SEO Spider, Apify, and Browse AI can also scan your site for HTTP references.
3. Verify your site in Google Search Console
Let Google know your site is secure by verifying it in Google Search Console—a free tool that shows how your site appears in search results and flags issues that could hurt your rankings. Start by logging into Search Console with the Google account tied to your website. Then, add your site as a domain (recommended for full site coverage) or URL prefix.
To verify domain ownership, add a DNS TXT record provided by Google. Log in to your domain registrar (such as Shopify), find the DNS settings or DNS management section, and add the TXT record. Save it, go back to Search Console, and click Verify.
If you choose URL prefix, you can either upload an HTML file to your site’s root folder (typically via FTP) or paste a meta tag into your site’s <head> section. WordPress has SEO plug-ins that can do this for you, for example, or you can edit your web pages yourself. After that, go back to Search Console and click Verify.
This ensures anyone visiting your site from a search engine gets the HTTPS version, as long as you mark that version of your site as the preferred domain.
4. Ensure that any HTTP URLs are redirected to HTTPS
First, if you’re using a website builder like Shopify, Squarespace, Wix, or something similar, check your settings to enable automatic redirects from HTTP to HTTPS. For example, Shopify includes a “Force HTTPS” option under Settings > Domains.
On WordPress, make sure you have an active, valid SSL Certificate, then force HTTPS using a plug-in like Really Simple SSL or by editing your .htaccess file. To do this manually, download the .htaccess file from your server (usually in the public_html folder) via FTP or your host’s file manager, open it with a text editor, and add the following code at the top:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
This tells your server to change all incoming HTTP requests to HTTPS using a 301 (permanent) redirect, preserving SEO value by passing “link equity” from the old URLs (http) to the secure ones (https), making sure you don’t lose any ranking power your old page may have accrued.
5. Update your XML sitemap
Your sitemap helps Google (and site users) understand and more easily navigate your website. Make sure all links in it point to HTTPS versions of your pages. You can regenerate your sitemap using your CMS (like WordPress), a sitemap tool (like Screaming Frog), or an SEO plug-in (like Yoast SEO).
To find your sitemap, look for common URLs like /sitemap.xml in the root directory of your site, or check your robots.txt file for any references to it. (You can also use a tool like the W3C validator to find errors or broken links while you’re at it.)
Once you’ve updated your sitemap, you can log in to Google Search Console and paste its URL into the Add a new sitemap field. Hit Submit, and you’re good to go.
“Not Secure” website meaning FAQ
How do I fix a website that’s not secure?
If you’re just visiting unsecured sites, there’s not much you can do besides maybe emailing the website owners. Never enter personal or financial information on a site that isn’t secure. If you have your own website, you can secure it by installing a secure sockets layer (SSL) certificate on your web server. You can then force your server to only serve HTTPS versions of your web pages and verify your website in Google Search Console.
Is it safe to buy from a non-secure website?
No, it’s not safe to enter credit cards or other personal information on a site that is not secure. Most major ecommerce sites are secure HTTPS sites, but if you get a secure warning that a site you’re planning to buy from is not secure, do not complete your transaction.
How do I check if a site is legit?
The best way to know if a website is legitimate and secure is to look for the padlock icon near the URL. If you’re using Google Chrome on Mac, click on the URL to see if the site is secure. For Safari on Mac, look for a little padlock icon to the left of the URL in the address bar. If you don’t see the padlock, or the URL starts with HTTP instead of HTTPS, then the site isn’t legit.