SSL Checker and HTTPS Test
What is it?
HTTPS is the baseline expectation for any site on the modern web. It encrypts the connection between visitor and server, protects credentials and other sensitive data in transit, and has been a positive Google ranking signal since 2014. Modern browsers flag non-HTTPS pages as Not Secure, block password and payment fields from working over HTTP, and gate features such as HTTP/2, Service Workers, and most third-party API integrations behind it. This test verifies that your site is served over HTTPS with a valid TLS certificate covering the requested domain.
Why HTTPS still matters in 2026
HTTPS is the baseline expectation for any site on the modern web. Browsers display visible warnings on HTTP pages, password and payment fields are blocked from working over HTTP, and search engines de-prioritize HTTP pages in rankings. The cost of getting HTTPS right has dropped to near zero with free certificates from Let's Encrypt and one-click HTTPS configuration on every major hosting platform, so there is no reason for any production site to lack it.
HTTPS also unlocks performance and security features that simply do not work over HTTP, including HTTP/2 and HTTP/3 (both require TLS in browsers), Service Workers and Progressive Web App functionality, modern Permissions API features, and most third-party API integrations. A site stuck on HTTP cannot use any of them.
Common HTTPS issues this test catches
- No TLS certificate at all, with the site accessible only over HTTP.
- Expired certificate, the most common cause of unplanned HTTPS outages.
- Certificate not covering the requested domain or subdomain, producing a browser warning.
- HTTP not redirected to HTTPS, leaving both versions reachable and splitting signals.
- Missing intermediate certificates, causing browsers to fail validation even when the cert itself is valid.
This test verifies your site's HTTPS configuration. The fix guide below covers provisioning free certificates, configuring server-level HTTPS and redirects, automating certificate renewal, and hardening the TLS configuration against modern attacks.
Pass rate:
-
Top 100 websites: %This value indicates the percent of top 100 most visited websites in the US that pass this test (in the past 12 months).
-
All websites: 95%This value indicates the percent of all websites analyzed in SEO Site Checkup (500,000+) in the past 12 months.
| 2021 | 100% |
|---|---|
| 2022 | 100% |
| 2023 | 100% |
| 2024 | 100% |
100
75
50
25
0
How do I fix it?
This test fails when the site is not served over HTTPS, or when the TLS certificate is invalid or expired. HTTPS encrypts the connection between visitor and server, protecting credentials and other sensitive data in transit, and Google has used it as a positive ranking signal since 2014. Modern browsers also flag non-HTTPS pages as Not Secure, which damages user trust. Fixing this issue means provisioning a TLS certificate and redirecting all HTTP traffic to HTTPS.
Where to make the change
- TLS certificate: Let's Encrypt provides free, automatically renewing certificates. Most modern hosts and CDNs (Cloudflare, Netlify, Vercel, Caddy) provision and renew them automatically.
- Server configuration: bind your web server to port 443 with the certificate, then add a server block that 301-redirects port 80 traffic to HTTPS.
- WordPress: a dedicated SSL plugin or your host's one-click HTTPS setup configures the redirect and rewrites internal URLs.
- Shopify, Wix, Squarespace: all three provide HTTPS by default. Failures usually point at custom domains where DNS or certificate provisioning has not completed.
Common causes and how to resolve them
- No certificate at all: provision one through Let's Encrypt or your hosting platform.
- Expired certificate: renew immediately. Set up automatic renewal so this cannot happen again.
- Certificate does not cover the domain or subdomain: issue a certificate that includes every hostname you serve, or use a wildcard certificate.
- HTTP not redirected to HTTPS: add a 301 redirect from
http://tohttps://for every URL. - Mixed certificate chain or missing intermediates: serve the full certificate chain so browsers can validate without warnings.
Best practices
- Enable HSTS: the
Strict-Transport-Securityheader tells browsers to skip HTTP entirely on future visits. - Automate renewals: certificate renewals are the single most common cause of unplanned HTTPS outages. Automate them.
- Use modern TLS configuration: support TLS 1.2 and 1.3 only; disable older protocols. Mozilla's SSL Configuration Generator produces a current best-practice config.
- Test with SSL Labs: Qualys SSL Labs grades your TLS configuration and surfaces concrete improvements.
