My SSL is installed, why do I get the warning ‘Not secure’ in browsers?
- General information
- How to detect the issue
- How to resolve the issue
What is the 'Insecure content' issue?
If you recently installed an SSL certificate on your website, you may still run into the issue of receiving the mixed content warning in browsers. Browsers may warn your customers that your website is insecure, causing them to close the page due to this security threat.
Some browsers even block the insecure connection and mark the website as not secure so that your visitors will not see the website content. Below, you will learn what exactly mixed content is, why it occurs, and how to fix these warnings if you encounter them on your site.
Insecure (also called ‘mixed’) content usually appears when HTML code on a website loads over HTTPS, while other content (such as images, video content, stylesheets, and scripts) still loads over the insecure HTTP protocol. When this happens, some of the content of your site loads securely and some of it insecurely.
The issue with insecure content is that the browser tries to load all of your website content via a secure HTTPS connection, whether it’s secure or not. As a result, in modern browsers, the warnings we mentioned above are displayed to visitors who try to view a website that has some http:// content.
Below you can compare how a secure website should look like in different browsers and how it looks like if the mixed content warning is displayed:
Chrome:
Firefox:
Safari:
Please keep in mind if you face the issue of insecure http:// links in your site content, the security messages in the browser have nothing to do with the SSL installation. That is, it doesn’t necessarily mean the SSL wasn’t installed properly. To be sure, you can check that your SSL is installed properly here.
In order to find what is causing the situation, you'll need to check the elements within the HTML code of your site. You need to check your site content and detect if there are any http:// links.
How do I know if I have insecure content?
To locate the mixed content, you can do the following:
How can I fix it?
You can try one of the solutions described below to remove the insecure content warning:
- If your website is built on Wordpress, there are multiple plugins available for fixing insecure content", such as Really Simple SSL and Insecure content fixer. Read this article to find more information about fixing insecure content on Wordpress.
Note: For EasyWP websites, if the plugins don’t fix the mixed content and the manual changes in the database are not saved, please contact our Hosting/EasyWP team to clear the cache from our side to accept the changes.
- Add this special header to your site .htaccess file:
Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
- This header works for most popular browsers. It’s only sent if the page is requested via HTTPS (because of the env=HTTPS condition). When accessed via https://, it informs all browsers to use https:// links for images/scripts/CSS/frames/videos even if they are explicitly specified as http:// in the HTML page source.
- Please keep in mind that the header should be put into the correct .htaccess file (for the website in question) so that the rule works for the website with the insecure content issue.
- Additionally, in order for the rule to work properly, the header should be in the first line in the mentioned file.
- Update all the HTTP links to HTTPS ones manually in the website’s script. For example, you should move the image file to a secure part of the site, e.g., https://secure.yyy.com/image.gif . If the content is linked from a third-party source, you could upload it to your server and make it secure;
- Make the links relative to the root directory by adding a backslash before the file name as in the following example:
‹img src="/image.gif"›
. This would translate to both ‹img src="https://www.yyy.com/image.gif"›
and ‹img src="http://www.yyy.com/image.gif"›
. This way, the browser will choose the proper HTTPS or HTTP link to display the image or content depending on which connection to the website (secure or not) is used.
If you didn’t create the site yourself, you will need to contact either your web designer or the company that provided you with the site to get assistance with troubleshooting the issue.
Associated articles
How to set up rules and redirects in .htaccess
How to set up HTTPS for WordPress
How to improve WordPress website security
How to get your website indexed by Google
FAQs
Insecure (also called 'mixed') content usually appears when HTML code on a website loads over HTTPS, while other content (such as images, video content, stylesheets, and scripts) still loads over the insecure HTTP protocol. When this happens, some of the content of your site loads securely and some of it insecurely.
How do I get rid of SSL certificate warning? ›
Reinstall the SSL
As a result, your browser may serve a warning that the SSL certificate is not issued by a trusted authority. In most cases, this is resolved by reinstalling the SSL.
How do I fix SSL connection is not secure on Chrome? ›
You'll get this error if you have antivirus software that provides "HTTPS protection" or "HTTPS scanning." The antivirus is preventing Chrome from providing security. To fix the problem, turn off your antivirus software. If the page works after turning off the software, turn off this software when you use secure sites.
How do I make my website SSL secure? ›
Simply contact your web host and request to purchase an SSL certificate for your account. For example, here are some links to some popular web host providers explaining how to purchase SSL certificates. GoDaddy, visit GoDaddy's website to view their SSL options.
Why do I keep getting a security certificate warning? ›
This often means that the security certificate was obtained or used fraudulently by the website. A website is using a certificate that was issued to a different web address. This can occur if a company owns several websites and uses the same certificate for multiple websites.
How to override security certificate warning? ›
Chrome
- Right-click the Google Chrome shortcut on your desktop and select Properties.
- In the Target field simple append the following parameter after the quoted string: --ignore-certificate-errors.
How to clear SSL certificate cache? ›
Google Chrome for Windows / Internet Explorer / Microsoft Edge
- Open the Start menu.
- Search for and open Internet Options.
- In the dialogue box that appears, select the Content tab.
- Click Clear SSL State.
Why do I keep getting an SSL error? ›
You might encounter this error when the browser and the server could not establish a secure connection using SSL. This could happen due to various reasons, such as incompatible SSL protocols, ciphers, or certificates, network issues, firewall settings, or server configuration errors.
How do I reset my SSL? ›
Google Chrome
- Start the Windows Control Panel.
- In the Find a setting text box, type internet options, and then click Internet Options.
- Click the Content tab.
- In the Certificates section, click Clear SSL state, and then click OK.
Why is my SSL certificate not updating in my browser? ›
Solution. Clear your browser and SSL caches in any browsers you experience this issue. NOTE: This issue is not as common or does not occur on UNIX-based systems like Apple OS X and Linux. In OS X, Safari has a more frequent certificate caching cycle.
Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites. Scroll down to the Install an SSL Website and click Browse Certificates. Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.
How to manually install an SSL certificate? ›
How To Manually install an SSL Certificate
- Step 1: Purchase an SSL Certificate.
- Step 2: Configure your SSL Certificate.
- Step 3: Generate and upload a CSR.
- Step 4: Verify certificate details and click “Proceed.”
- Step 5: Allow time for the certificate to validate.
How do I enable SSL certificate verification? ›
How To Verify SSL Certificates In Windows? To check if SSL certificate is installed, you can use the Certificate Manager tool and check its validity period. Another alternative option is to use the sigcheck Windows Sysinternals utility to verify TLS version.
How to fix a website that says not secure? ›
My website is not secure, how can I fix it?
- Install Secure Sockets Layer (SSL) certificate. ...
- Ensure that internal and external links use HTTPS. ...
- Verify your website in Google Search Console. ...
- Ensure that HTTP URLs are redirected. ...
- Update XML sitemap.
Why is my SSL certificate not trusted? ›
The most common cause of a "certificate not trusted" error is that the certificate installation was not properly completed on the server (or servers) hosting the site. Use our SSL Certificate tester to check for this issue. In the tester, an incomplete installation shows one certificate file and a broken red chain.
Why is my site broken after I installed an SSL certificate? ›
Possible causes: The browser cache is not cleared, the domain name that is bound to the certificate is different from the domain name of the website, or the certificate has expired. Clear the browser cache and access the website again.
Why my SSL certificate is not valid? ›
This error means that the browser does not trust the SSL certificate for the website. This could happen if the certificate is self-signed, expired, or issued by an untrusted CA. To fix this error, you need to make sure that you have a valid SSL certificate from a reputable CA that is recognized by all major browsers.