How to Fix the HTTPS Not Secure Message in Chrome: Step-by-Step Guide for Website Owners

Estimated reading time: 10 minutes

Seeing “Not Secure” in Chrome can push visitors away in seconds.

For a business website, that warning creates immediate doubt. Users may avoid filling out forms, logging in, subscribing to emails, or completing purchases. Even worse, they may assume the site is unsafe and never come back.

That is why learning how to fix the HTTPS not secure message in Chrome matters so much.

In most cases, the warning comes from a small group of common problems. The site may still load over HTTP. The SSL certificate may be expired or installed incorrectly. Some images, scripts, or forms may still be using insecure URLs. In other cases, WordPress settings, redirects, or third-party tools are the real cause.

The good news is that this issue is usually fixable.

This guide walks you through the exact steps website owners should take to remove the HTTPS not secure message in Chrome, strengthen site security, and restore visitor trust. If the warning has already damaged your brand image or search visibility, Remove Online Information also offers reputation repair and content removal solutions to help address the public side of the problem.

What the HTTPS Not Secure Message in Chrome Means

When Chrome shows Not Secure, it means the browser does not fully trust the way the page is being delivered.

That can happen for several reasons.

Sometimes the page is still loading on plain HTTP. Sometimes the page uses HTTPS, but some of its files still load from insecure sources. Other times, the certificate is expired, incomplete, or set up for the wrong domain.

So while the warning looks simple, the cause may not be.

Common Reasons Chrome Shows “Not Secure”

Chrome may show the warning if:

• The page loads over http://
• The SSL certificate is expired
• The certificate does not match the domain
• The site serves an incomplete certificate chain
• Images, CSS, or JavaScript load over HTTP
• Forms submit to insecure URLs
• Redirects are incomplete or broken
• CMS settings still point to HTTP resources

That is why the first step is diagnosis. You need to know which issue is causing the message before you can fix it properly.

Why This Warning Hurts SEO and Conversions

The browser warning is not just a technical issue.

It affects how people feel the moment they land on your website. That feeling influences whether they stay, trust the site, and take action.

How the Warning Affects Your Website

A Not Secure message can lead to:

• Lower user trust
• Higher bounce rates
• Fewer contact form submissions
• Lower ecommerce conversions
• Reduced lead generation
• More hesitation on checkout pages
• Weaker brand credibility

It can also create SEO problems if your site has both HTTP and HTTPS versions floating around. Search engines prefer clean, consistent secure URLs. If your site sends mixed signals, crawling and indexing can become messy.

That means fixing the issue helps both security and visibility.

Step 1: Check Whether the Website Is Actually Loading Over HTTPS

Start with the basics.

Open the page in Chrome and look at the address bar.

What to Look For

Check whether you see:

• https:// in the URL
• http:// instead of HTTPS
• A Not Secure label
• A warning when clicking the icon beside the URL

If the page is still loading on HTTP, then your site is not fully using HTTPS yet. In that case, the first fix is to install and configure SSL properly.

If the page already loads on HTTPS but still shows a warning, move on to the next steps.

Step 2: Make Sure the SSL Certificate Is Valid

A valid SSL certificate is the foundation of HTTPS.

Even if your URL shows https://, Chrome can still warn users if the certificate has problems.

A Proper Certificate Should Be:

• Issued by a trusted certificate authority
• Valid for the correct domain name
• Not expired
• Installed with the full certificate chain

Common Certificate Problems

These issues often cause Chrome warnings:

• Expired certificate
• Certificate issued only for www but not the root domain
• Missing intermediate certificate
• Self-signed certificate on a live site
• Different servers serving different certificates
• CDN certificate mismatch

How to Fix Certificate Issues

If the certificate is the problem:

1. Renew or reissue the certificate
2. Confirm it covers every hostname you use
3. Install the full certificate chain
4. Check all servers, proxies, and CDN layers
5. Restart or reload the web server if needed

Do not assume the certificate is fine just because one page loads. Check the actual hostnames users visit.

Step 3: Redirect All HTTP Pages to HTTPS

Installing SSL is not enough by itself.

If visitors can still access the HTTP version of the site, some users may continue landing on insecure pages. That keeps Chrome warnings alive and creates confusion for search engines.

A Proper Redirect Setup Should:

• Redirect every HTTP page to HTTPS
• Keep the same page path during the redirect
• Use a permanent 301 redirect
• Avoid long redirect chains

Example Apache Redirect

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Example Nginx Redirect

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

After applying redirects, test more than the homepage. Check blog posts, form pages, product pages, and login screens too.

Step 4: Fix Mixed Content

Mixed content is one of the most common reasons a site still appears insecure after moving to HTTPS.

This happens when the main page loads over HTTPS, but some of its files still come from HTTP URLs.

Common Mixed Content Examples

These assets often cause problems:

• Images
• Stylesheets
• JavaScript files
• Fonts
• Videos
• Iframes
• Third-party widgets
• Form actions

Even one insecure asset can trigger warnings or keep the page from appearing fully secure.

How to Find Mixed Content

Open Chrome DevTools and check:

• Security
• Console
• Network
• Issues

These panels often show the exact file or request still loading over HTTP.

How to Fix Mixed Content

Once you find the insecure resources:

• Replace http:// with https://
• Update hardcoded asset paths
• Fix old image URLs in posts
• Update theme and plugin settings
• Replace insecure third-party embeds
• Search the database for old HTTP references

Mixed content is often the main problem after an incomplete HTTPS migration.

Step 5: Update WordPress Settings

For WordPress websites, many HTTPS issues come from the CMS itself.

The server may be configured correctly, but WordPress still outputs old HTTP links for media, scripts, forms, or internal URLs.

In WordPress, Check:

• Settings > General
• WordPress Address
• Site Address
• Theme settings
• Plugin settings
• Page builder links
• CDN configuration
• Cached content

Common WordPress HTTPS Problems

These are especially common:

• Old images still use HTTP
• Theme files hardcode insecure asset links
• Form plugins post to HTTP
• Page builders store old HTTP URLs
• Cache plugins serve stale HTML
• WooCommerce settings still point to insecure paths

If WordPress still thinks your site lives on HTTP, Chrome may continue showing warnings even after SSL is installed.

Step 6: Check Forms, Login Pages, and Checkout Pages First

Some pages deserve immediate attention because they collect user data.

If a page asks for personal details, passwords, or payment information, visitors are far more likely to leave when they see a warning.

High-Priority Pages

Review these pages first:

• Contact forms
• Quote request pages
• Login pages
• Account registration pages
• Checkout pages
• Payment pages
• Client portals
• Newsletter signup forms

Form Security Checklist

Make sure:

• The page loads on HTTPS
• The form action uses HTTPS
• Embedded form scripts load securely
• Captcha services use secure endpoints
• Payment tools are fully secure
• Thank-you pages remain on HTTPS

A secure homepage means little if the money-making pages still look unsafe.

Step 7: Check the Certificate Hostname and Chain

Some certificate problems are subtle.

The site may appear to load over HTTPS, but Chrome can still complain if the certificate setup is incomplete.

Check These Items

Confirm that the certificate:

• Covers the root domain
• Covers the www version if used
• Covers active subdomains where needed
• Includes required intermediate certificates

Also confirm that every layer of your stack is aligned:

• Origin server
• CDN
• Reverse proxy
• Load balancer

A mismatch at any of these layers can produce inconsistent HTTPS behavior.

Step 8: Add HSTS After HTTPS Is Stable

HSTS can strengthen your HTTPS setup by telling browsers to always request the secure version of the site.

Example HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains

Important Warning

Do not enable HSTS too early.

If the site still has:

• Mixed content
• Broken redirects
• Incomplete HTTPS coverage
• Subdomains without valid certificates

HSTS can make the experience worse by forcing browsers into broken secure paths.

Use it only after the site is fully stable on HTTPS.

Step 9: Use upgrade-insecure-requests as a Backup Aid

For larger legacy sites, this Content Security Policy directive can help reduce leftover insecure asset calls:

Content-Security-Policy: upgrade-insecure-requests

When It Helps

It is useful if:

• Old posts still contain HTTP asset links
• The site has many legacy pages
• You need a safety layer during cleanup

What It Does Not Replace

You still need to:

• Fix database content
• Update theme files
• Correct plugin settings
• Replace insecure embeds
• Clean form actions

Think of it as a support tool, not the final solution.

Step 10: Review Search Console and Internal Site Signals

Even after the browser warning is gone, you should still check whether the site is consistently using HTTPS.

Review These Areas

• Search Console HTTPS data
• XML sitemap URLs
• Canonical tags
• Navigation links
• Footer links
• Structured data
• Open Graph URLs
• Internal content links

Why This Matters

If your site still feeds HTTP references into search engines, it can slow cleanup and keep old versions hanging around.

Update all internal signals so the secure version is clearly the preferred version.

Step 11: Run a Final Verification Pass

Now test the site thoroughly.

Final HTTPS Checklist

Make sure:

• Pages load on https://
• Chrome no longer shows Not Secure
• No mixed-content warnings remain
• Redirects go straight to HTTPS
• Forms submit securely
• Images and scripts load on HTTPS
• Certificate details are correct
• Internal links use HTTPS
• Search Console reflects the secure version

Pages You Should Test

Check all major page types:

• Homepage
• Contact page
• Login page
• Checkout page
• Blog posts
• Category pages
• Product pages
• Mobile version
• Desktop version

Many site owners fix one page and assume the issue is gone. That often leaves deeper templates behind.

Common Mistakes to Avoid

1. Installing SSL but skipping redirects

Users can still land on insecure pages.

2. Fixing only the homepage

The rest of the site may still contain insecure resources.

3. Ignoring mixed content

A page can be HTTPS and still not fully secure.

4. Turning on HSTS too early

This can lock users into broken secure paths.

5. Leaving internal links on HTTP

That keeps old signals alive.

6. Trusting a plugin to fix everything

Plugins can help, but they are not a replacement for full cleanup.

7. Forgetting third-party scripts

A single widget or embed can reintroduce the warning.

What If the Warning Is Fixed but Trust Is Still Damaged?

Technical cleanup solves the browser issue. It does not always fix the reputation issue.

If users already saw warnings, you may still deal with:

• Lower trust
• Fewer conversions
• Negative comments
• Damaged branded search results
• Customer hesitation

That is where browser security and online reputation overlap.

If your website is technically secure again but your brand image still looks damaged online, Remove Online Information can help with content removal, search-result cleanup, and reputation repair.

FAQ: How to Fix the HTTPS Not Secure Message in Chrome

If you want your website to look secure, convert better, and avoid browser trust warnings, fix HTTPS thoroughly from the certificate layer all the way through redirects, mixed content, forms, and internal links. And if the warning already hurt your public image, visit Remove Online Information to explore its solutions and reputation repair services.

Works Cited

Chrome Developers. “Avoiding the Not Secure Warning in Chrome.” Chrome for Developers, https://developer.chrome.com/blog/avoid-not-secure-warn/. Accessed 14 Apr. 2026.

Chrome Developers. “Issues: Find and Fix Problems.” Chrome for Developers, https://developer.chrome.com/docs/devtools/issues/. Accessed 14 Apr. 2026.

Chrome Developers. “Privacy and Security Panel.” Chrome for Developers, https://developer.chrome.com/docs/devtools/security/. Accessed 14 Apr. 2026.

Google. “Check if a Site’s Connection Is Secure.” Chrome Help, https://support.google.com/chrome/answer/95617. Accessed 14 Apr. 2026.

Google. “Fix Connection and Loading Errors in Chrome.” Chrome Help, https://support.google.com/chrome/answer/6098869. Accessed 14 Apr. 2026.