Why does the webpage display "Not Safe"? How can I fix it?-DNS.COM

Support >

About cybersecurity >

Why does the webpage display "Not Safe"? How can I fix it?

Time : 2026-03-20 16:31:56

Edit : DNS.COM

　　When you excitedly open your carefully crafted website or visit a familiar page in your browser, a striking red triangle suddenly pops up on the left side of the address bar, next to the chilling words—"Insecure." What's your first reaction? Confusion, worry, or the fear that your website has been hacked?

　　If you're a website owner, it feels like owning a physical store and finding a "Hygiene Failure" sign on the door, with no idea what went wrong. If you're a regular visitor, it feels like someone whispering in your ear, "Don't go in, it's dangerous inside."

　　Today, we'll thoroughly explain the story behind this "insecure" warning. Not a textbook lecture, but from the perspective of someone who has actually experienced these pitfalls, we'll discuss what it is, why it appears, and most importantly—how to solve it.

　　I. What Does "Insecure" Actually Mean? Understanding the Browser's Subtext

　　Many people's first reaction to the word "insecure" is: Is my website compromised? Is it infected with a virus?

　　Actually, in most cases, you're overthinking it.

　　This "insecure" message is your browser (Chrome, Edge, Safari, etc.) telling you one thing: the webpage you are currently visiting is not using encrypted transmission.

　　In the early days of the internet, all websites were "insecure," and people didn't think much of it. However, as cybersecurity issues have become increasingly serious, major browser vendors began gradually promoting HTTPS (Hypertext Transfer Protocol Secure) around 2017 and labeled unencrypted HTTP websites as "insecure."

　　This message is essentially an indicator of "encryption status," not a "virus alert."

　　For example: You're walking down the street and see a shop with its door open, allowing anyone to walk in. The browser tells you "the shop door is unlocked," but it doesn't say "there's a thief inside." An unlocked door doesn't necessarily cause a problem, but it certainly increases the risk.

　　Similarly, data transmitted via HTTP is in plaintext, like speaking on a walkie-talkie in a busy city—anyone can hear you. If someone is eavesdropping between you and the website (e.g., on the same Wi-Fi network), they can easily steal your login password, bank card information, and chat history. HTTPS, on the other hand, adds an encryption layer to your walkie-talkie; only you and the website can understand it.

　　Therefore, when a browser says "insecure," the subtext is: "This connection is not encrypted; any sensitive information you enter could be intercepted by a third party."

　　II. What are the consequences of this "insecurity"? Don't underestimate it.

　　Some people think, "It's just a red icon in the address bar; it doesn't affect how the website opens, so what's the big deal?" If you think this way, you're underestimating the destructive power of this red icon.

　　1. The instantaneous collapse of user trust

　　There's a concept in psychology called "negativity bias"—people are far more sensitive to negative information than positive information. When a user sees a prominent red "Not Secure" warning in the address bar, no matter how beautifully designed or how high-quality the content of your website, they subconsciously label it as "unreliable."

　　For e-commerce websites, seeing this warning when placing an order can halve conversion rates. For corporate websites, potential customers will think that if the company can't even handle website security, how strong can its technical capabilities be?

　　2. SEO Ranking Decline

　　Google, Baidu, and other search engines have clearly stated that HTTPS is one of the ranking factors. Although it doesn't carry the same weight as content quality, when two websites have similar content, the HTTPS website will be displayed first. Your HTTP website is already at a disadvantage from the start.

　　3. Browser Functionality Restrictions

　　Modern browsers are increasingly discriminating against HTTP websites. For example, HTTP websites cannot use many advanced browser APIs (such as geolocation, push notifications, camera access, etc.). More seriously, if your website needs to embed third-party services (such as payment interfaces, social media logins), many service providers now require HTTPS calls, otherwise they will refuse to accept the service.

　　4. Risk of Data Leakage

　　If your website has login functionality, a message board, or any form submission, using HTTP means users' passwords, email addresses, and even ID numbers are exposed online. If intercepted, this can lead to anything from stolen user accounts to legal disputes.

　　Therefore, "insecurity" is not a minor issue; it's a comprehensive problem that can affect the survival of your business, user trust, and compliance risks.

　　III. Why Does My Website Display "Insecure"? Several Common Situations

　　While the "Insecure" message is simple, there are multiple reasons behind it. Understanding which situation applies to you is crucial for effective solutions.

　　Situation 1: Completely Unencrypted, Using the HTTP Protocol

　　This is the most straightforward situation. Your website address starts with http:// instead of https://. The browser sees that the website lacks an SSL certificate and immediately labels it "Insecure."

　　This situation is most common in the following situations:

　　A newly set up personal blog without a certificate configuration.

　　Some old internal systems that the administrator is too lazy to configure.

　　Cheap virtual hosting that doesn't come with SSL by default.

　　Situation Two: HTTPS is used, but the certificate has a problem.

　　Sometimes you've clearly configured an SSL certificate, and the address bar shows https://, but the browser still prompts "Insecure." This is usually due to a problem with the certificate itself:

　　Certificate expired: SSL certificates have an expiration date, usually one year or a few months. After expiration, the browser will consider the certificate untrusted.

　　Certificate domain mismatch: The certificate is issued for www.example.com, but you access it using example.com, or by accessing it directly using an IP address.

　　Untrusted certificate: You used a self-signed certificate, or the certificate came from a CA (Certificate Authority) that is not trusted by the browser. Self-signed certificates may work fine locally, but will be blocked by all browsers on the public internet.

　　Incomplete certificate chain: Intermediate certificates are not installed correctly, and the browser cannot verify the complete trust chain of the certificate.

　　Situation Three: Mixed content

　　This is the most insidious and frustrating situation.

　　Your website itself is HTTPS, but the page references HTTP resources—such as an image, a JavaScript script, or a CSS file. The browser considers your main page secure, but the resources you load are insecure; this "mixed" state will also be marked as "insecure."

　　Mixed content falls into two categories:

　　Passively mixed content: such as images, audio, and video. When these resources are loaded, the browser usually only reports an error in the console, and the address bar may only display a gray lock or exclamation mark.

　　Actively mixed content: such as JavaScript scripts, CSS stylesheets, and iframe embeddings. If these resources are loaded via HTTP, the browser will directly block loading, and the address bar will explicitly display "insecure," because malicious scripts could be tampered with via HTTP, thus attacking the entire page.

　　Scenario 4: Insecure forms embedded in the page

　　If your HTTPS page has a `<form>` tag, but the `action` attribute points to an HTTP address, the browser will also consider this a security risk—the information entered by the user will ultimately be transmitted in plaintext.

　　IV. How to Solve the Problem? A Complete Guide from Scratch

　　Now that you understand the reasons, the next step is to take action. Below, I'll provide a workable solution, arranged from easiest to most difficult.

　　Step 1: Purchase or Apply for an SSL Certificate

　　To solve the "insecurity" issue, the first step is to equip your website with an SSL certificate.

　　SSL Certificate Types and Selection:

　　Free DV Certificates: Such as Let's Encrypt, Alibaba Cloud Free Certificates, Tencent Cloud Free Certificates. Only verifies domain ownership, suitable for personal blogs and small showcase sites. Valid for 90 days, but can be automatically renewed.

　　Paid DV Certificates: Functionally the same as free ones, but with a longer validity period (one year), commercial support, and compensation guarantees. Suitable for users who don't want the hassle of automatic renewal.

　　OV (Organization Validation) Certificates: Verify enterprise identity; the address bar will display the company name. Suitable for corporate websites and e-commerce websites.

　　EV (Extended Validation) Certificates: The highest level of verification; the address bar will display the company name in green. Suitable for banks, payment platforms, and large e-commerce companies.

　　For most individual website owners and small businesses, a free Let’s Encrypt certificate plus an automatic renewal script is sufficient. Don't assume free is bad; Let’s Encrypt is the world's largest Certificate Authority (CA), trusted by all browsers.

　　How to Install:

　　If you are using a control panel like BT Panel, find "SSL" in "Website Settings," apply for Let’s Encrypt with one click, and it will automatically configure—just click once.

　　If you are using one-click packages like LNMP or Oneinstack, they usually have built-in commands for automatically issuing certificates.

　　If you are manually configuring Nginx/Apache, you can use the Certbot tool, which will automatically obtain the certificate and modify the configuration file for you.

　　Step Two: Ensure HTTPS Redirects Across the Entire Site

　　After installing the certificate, you need to do one more thing: force all HTTP access to redirect to HTTPS.

　　If a user manually enters http://yourwebsite.com, you need to ensure that the browser automatically redirects to https://yourwebsite.com.

　　Nginx Configuration Example:

server {
    listen 80;
    server_name website.com;
    return 301 https：//$server_name$request_uri；
}

　　Apache configuration example:

　　Add the following to the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https：//%{HTTP_HOST}/$1 [R=301，L]

　　After completing this step, try accessing the website again; the address bar should now show a green padlock. But hold on, there's one more crucial finishing touch.

　　Step 3: Clean Up Mixed Content

　　This is the most tedious step, and the reason many people find themselves wondering "Why is it still insecure?" after completing the certificate process.

　　How to detect mixed content:

　　Open your website, press F12 to open your browser's developer tools, and switch to the Console panel. You will see a red warning similar to this:

Mixed Content： The page at 'https：//xxx' was loaded over HTTPS， but requested an insecure image 'http：//xxx.jpg'. This content should also be served over HTTPS.

　　Solutions:

　　1. Modify resource links: Change all resource links starting with http:// to https://. If the resource itself supports HTTPS (most modern CDNs support this), simply change the protocol.

　　2. Use protocol-relative URLs: Remove http:// or https://, and write //example.com/image.jpg. The browser will automatically use the current page's protocol to load it.

　　3. Replace resource addresses: If an external resource does not support HTTPS, you need to download it to your own server or find an alternative resource that supports HTTPS.

　　4. Check the database: If your website uses a CMS like WordPress, the article content may contain a large number of HTTP links. You can use a plugin (such as Better Search Replace) to batch replace http://yourdomain.com with https://yourdomain.com in the database.

　　This step requires patience, especially for older websites, as there may be dozens or even hundreds of places that need adjustment. But this is the necessary step to turn the padlock icon green.

　　Step 4: Update External References and Third-Party Services

　　If you use third-party services such as Google Analytics, Baidu Analytics, ad code, or social media plugins, you need to check if their loading code supports HTTPS. Almost all mainstream services now use HTTPS by default, but if you're using older code, you may need to retrieve the new embedding code from the backend.

　　Additionally, if your website uses CDN acceleration, ensure that the CDN also has HTTPS enabled and that the origin pull method is correct (either the CDN uses HTTPS to pull back to your origin server, or your origin server allows HTTP origin pulls but the CDN provides HTTPS externally).

　　In conclusion: The essence of security is trust

　　When we talk about web pages being "insecure," we're not actually talking about the technology itself, but about trust.

　　The essence of the internet is connection, and the prerequisite for connection is trust. Browsers use a small red marker to try to establish a boundary of security between users and websites. It may be overly sensitive, and it may sometimes be annoying, but its initial intention is to protect users, and also to protect you—a website owner who seriously runs a website.

　　If your website is currently "insecure," treat it as a problem that must be solved, not a pop-up that can be ignored. Spend an afternoon applying for a free certificate, configuring HTTPS redirects, and cleaning up those stubborn mixed content. When you see that little green padlock in the address bar steadily lighting up, you'll understand that this is not just the completion of a technical task, but also a promise you've made to your users.

Previous one:What is an SSL vulnerability? What are some protection strategies? Next one:Why can't I access the site after the domain name has been resolved?