The 'Not Secure' Badge Is the Cheapest Trust You Will Ever Lose
A 'Not secure' badge, an http:// page, or a form posting over http all cost you trust and sometimes break the page. What each one means and how to fix it.
Published on July 17, 2026
This finding covers a family of related problems, all about the connection between a visitor and your page not being fully encrypted. A page served over plain http, a secure page that loads an insecure resource, a form that submits over http. They differ in severity, but they share a symptom every visitor can see: the browser tells them your site is not secure, in those words, right in the address bar.
Unlike most of what an audit flags, this one is not subtle and not debatable. It is visible to every human who lands on the page, and on a form it can be the difference between a sale and a bounce.
Why this matters
Two reasons, and the smaller one is the SEO reason. HTTPS has been a lightweight Google ranking signal for years, so all else equal, the secure page has a slight edge. That is real but minor, and it is not why you fix this.
You fix it because of the badge and the breakage. A browser showing “Not secure” next to your domain is telling every visitor, in plain language, not to trust you with anything, and it does that most loudly on exactly the pages where trust matters: anything with a form, a login, a checkout. Nobody types a password into a page the browser is warning them about. The conversion cost is immediate and it does not show up in your rankings report, it shows up in your revenue.
Then there is outright breakage, which is what “mixed content” causes. When a page loads over HTTPS but pulls in a script or stylesheet over HTTP, browsers step in. As web.dev puts it, active mixed content, scripts, stylesheets, iframes, is the dangerous kind: “An attacker can intercept and rewrite active content, using it to take full control of your page,” and so “most browsers already block this type of content by default.” Blocked. Your own script does not run. The page is broken, silently, for security reasons you did not choose. Passive mixed content, images and video, is less dangerous and browsers now try to upgrade it quietly, but it still trips the warning.
What each shape of this finding means
- A page served over
http. The whole page is unencrypted. This is the most serious version and the clearest fix: the page needs to be on HTTPS, which today means getting a certificate (free, via Let’s Encrypt and most hosts) and redirectinghttptohttps. If your whole site is onhttp, that is a project, but a well-trodden one. - Mixed content (an HTTPS page loading
httpresources). The page itself is secure but it references insecure subresources. The fix is to update those references tohttps, or to protocol-relative or upgraded URLs. Active resources (scripts, styles) are urgent because they get blocked; passive ones (images) are cosmetic-plus-warning. - A form on an
httppage, or posting to anhttpendpoint. The most damaging for conversion. A form that collects anything, an email, a password, a card, over an unencrypted connection is both a real security exposure and a guaranteed browser warning at the worst moment. Move the page and the form action to HTTPS.
When is it worth fixing, and when should you skip it?
Fix it immediately when:
- Any page with a form is not fully HTTPS. This is the top priority in the whole finding. It is a live security issue and a conversion killer at the same time.
- Active mixed content (a script or stylesheet over
http) is present. It is being blocked right now, so part of your page is broken whether you have noticed or not.
Fix it soon when:
- A whole page or site is on
http. It is serious, but if there are no forms it is a slower-burning problem than a broken checkout. Plan the HTTPS migration; do not leave it indefinitely.
Deprioritize when:
- It is passive mixed content (an
httpimage) on a page that is otherwise secure. Browsers now upgrade most of these automatically. Worth cleaning up, not worth an emergency.
The honest tradeoff: this is one of the few findings where the SEO angle is the least important reason to act. The ranking bump from HTTPS is small; the trust you lose to a “Not secure” badge, and the pages you break with blocked mixed content, are large and immediate. I would fix anything touching a form today, unblock active mixed content today, and schedule the rest, and I would never let the “it’s only a minor ranking factor” framing talk me out of it, because the real cost is a visitor who leaves.
Some of this is content Get AI Traffic can touch, updating an http resource reference in a page body runs through set_content. But the core of it, a certificate, an http-to-https redirect, a server that serves the whole site securely, is infrastructure, not page markup, and it lives with your host or your CDN rather than in a content tool. This is a finding where the most important fixes are yours to make at the server, and the guide’s job is to tell you which ones cannot wait.
Frequently asked questions
What does “Not secure” in the address bar mean? It means the connection to that page is not encrypted, either the page is on http, or a form on it submits over http. The browser is warning visitors not to trust the page with any information. It is the single most visible trust problem a site can have.
Is HTTPS a Google ranking factor? Yes, but a light one, confirmed by Google for years. It is a real tiebreaker, not a major lever. The bigger reasons to be on HTTPS are user trust and not having your pages broken by blocked mixed content.
What is mixed content? A page loaded over HTTPS that pulls in resources over HTTP. Active mixed content (scripts, stylesheets) is dangerous and browsers block it, which breaks your page. Passive mixed content (images, video) is lower risk and browsers now often upgrade it automatically, but it still triggers the warning.
How do I get HTTPS? Get a TLS certificate, which is free through Let’s Encrypt and bundled by most hosts and CDNs, and redirect all http traffic to https. Most platforms make this close to one click now. Once secure, hunt down any remaining http resource references so you do not trip mixed-content warnings.
Is a form on an http page really that bad? Yes. It is a genuine security exposure, anything typed in can be intercepted, and browsers flag it prominently, so it also destroys conversion. A form is the one place you cannot afford a “Not secure” warning. Fix these first.
Sources
Want this checked on your own site?
Get your free AI-visibility audit