Site Not Served Over HTTPS

Google uses HTTPS as a ranking signal since 2014.

Why it matters

Google uses HTTPS as a ranking signal since 2014. Browsers mark HTTP pages "Not Secure", destroying trust. Many modern APIs (geolocation, service workers) only work over HTTPS.

Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: high — direct effect on rankings or impressions.

How to fix

• Obtain a free TLS certificate via Let's Encrypt or your CDN
• Redirect all HTTP URLs to HTTPS with 301
• Add Strict-Transport-Security (HSTS) header

Common causes

If the rule is firing across many pages, the root cause is almost always one of these:

• Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
• CDN or upstream proxy strips a security header that was set at the origin.
• Legacy redirects send HTTPS traffic through HTTP first.
• Test/staging hostnames leak into production HTML via hard-coded URLs.

Anti-patterns to avoid

Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:

• Mixed HTTP/HTTPS resources after migration.
• Self-signed or expired certificates on production.
• Long-lived secrets in client-rendered HTML or JS bundles.

How atlookup detects this

Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for site not served over https are flagged on the report.

If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.

Tools to verify the fix

Once you've applied the fix, double-check with these external validators:

• SSL Labs — Grades certificate + protocol configuration.
• securityheaders.com — Audits response headers against best practice.

Frequently asked questions

Related issues