Why Must Every Website Use HTTPS? Complete Guide (2026)
Hi, I'm Saar - a software engineer, SEO specialist, and lecturer who loves building tools and teaching tech.
View author profile →What Is HTTPS?
HTTPS is HTTP transmitted over a TLS (Transport Layer Security) connection. It does three things at once: it encrypts traffic between the browser and the server, authenticates the server's identity through a certificate, and guarantees the integrity of the data so an attacker on the network cannot tamper with the response without detection.
Since 2014 Google has confirmed HTTPS as a ranking signal, and since July 2018 Chrome marks every plain HTTP page as "Not Secure" in the address bar. HTTPS is also a hard prerequisite for HTTP/2, HTTP/3, service workers, the Geolocation API, the Clipboard API, push notifications, and getUserMedia.
Key Facts (TL;DR)
- Definition: HTTPS = HTTP over TLS 1.2 or TLS 1.3 (RFC 8446 for TLS 1.3).
- Ranking signal: Confirmed by Google Search Central in August 2014.
- Browser warnings: Chrome marks HTTP as "Not Secure" since v68 (July 2018); Firefox and Safari do the same.
- Modern APIs: Service workers, push notifications, geolocation, getUserMedia, clipboard, and HTTP/2 require a secure context (HTTPS or localhost).
- Cost: Free certificates from Let's Encrypt (90-day validity, auto-renewable) since 2015.
- Enforcement: The HSTS header (Strict-Transport-Security) tells browsers to refuse plain HTTP for the domain.
TLS Versions: What to Enable and Disable
Not every TLS version is safe. SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 have known vulnerabilities (POODLE, BEAST) and were deprecated by the IETF in RFC 8996 (March 2021). All major browsers removed TLS 1.0/1.1 support in 2020.
| Protocol | Year | Status | Action |
|---|---|---|---|
| SSL 2.0 / 3.0 | 1995 / 1996 | Insecure (POODLE) | Disable |
| TLS 1.0 | 1999 | Deprecated (RFC 8996) | Disable |
| TLS 1.1 | 2006 | Deprecated (RFC 8996) | Disable |
| TLS 1.2 | 2008 | Secure with strong ciphers | Enable |
| TLS 1.3 | 2018 (RFC 8446) | Recommended | Enable |
How to Get and Install a Certificate
For most sites, the easiest path is Let's Encrypt with the Certbot ACME client. The certificate is free, valid for 90 days, and renews automatically.
# Install and obtain a cert with Certbot (Nginx)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
# Certbot installs a cron/systemd timer that runs:
sudo certbot renew --quietOn managed platforms, certificates are handled for you: most edge runtimes and CDN providers provision them automatically, often with one-click universal SSL.
Enforce HTTPS With HSTS
Once HTTPS works, send the Strict-Transport-Security header so browsers never attempt plain HTTP again. After the first secure visit, the browser will upgrade every subsequent request to HTTPS automatically — even if the user types http://.
# Recommended HSTS header
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadSubmit the domain to hstspreload.org to get baked into browser source code so the very first visit is also protected.
The 5 Mistakes That Break HTTPS
1. Mixed content
An HTTPS page that loads a script, iframe, or stylesheet over HTTP. Modern browsers block active mixed content outright.
// Bad — http:// triggers mixed content blocking
<script src="http://cdn.example.com/lib.js"></script>
// Good — protocol-relative or explicit https
<script src="https://cdn.example.com/lib.js"></script>2. Using a 302 instead of a 301 to upgrade HTTP
302 is temporary; search engines may not consolidate authority. Use 301 permanent redirects from HTTP to HTTPS. See the companion guide on how to redirect HTTP to HTTPS.
3. Letting the certificate expire
An expired cert produces a full-page browser interstitial. Automate renewal — never rely on calendar reminders.
4. Leaving TLS 1.0/1.1 enabled
Old protocols open the door to downgrade attacks. Restrict the server to TLS 1.2 + TLS 1.3.
5. Forgetting subdomains
If www.example.com has a cert but example.com does not, half your visitors hit a warning. Issue a cert covering both, or a wildcard.
How to Test Your HTTPS Setup
- SSL Labs Server Test (
ssllabs.com/ssltest) — grades your TLS configuration A+ to F and lists every weakness. - Mozilla Observatory — checks HSTS, headers, and TLS together.
- Chrome DevTools → Security panel — shows certificate, protocol, and any mixed-content errors on the current page.
- Why No Padlock (
whynopadlock.com) — pinpoints the resource breaking your green lock. - curl -vI https://example.com — quickest way to see the cert chain and response headers from the command line.
FAQ
Is HTTPS still a Google ranking factor in 2026?
Yes. Google has not retracted the 2014 announcement, and HTTPS remains a tie-breaker signal. More importantly, Chrome's "Not Secure" warning hurts trust and conversion before SEO ever enters the picture.
Do I need a paid certificate or is Let's Encrypt enough?
For nearly every website, Let's Encrypt is enough. Browsers do not differentiate between free DV certs and paid DV certs. EV certificates no longer show the company name in the address bar, so the upsell is gone.
Does HTTPS slow down my site?
No. TLS 1.3 has a 1-RTT handshake (0-RTT for resumption), and HTTPS unlocks HTTP/2 and HTTP/3, which usually make pages faster than plain HTTP/1.1. See why you should use HTTP/2.
What is mixed content and why does it matter?
It is when an HTTPS page loads sub-resources over HTTP. Active mixed content (scripts, iframes) is blocked by all modern browsers. Passive mixed content (images) shows a warning.
How long is a Let's Encrypt certificate valid?
90 days. The short lifetime is intentional — it forces automation and limits exposure if a key is compromised. Certbot renews unattended.
What does HSTS preloading do?
It hard-codes your domain into browser source code as HTTPS-only, so even the very first visit cannot be downgraded. You apply at hstspreload.org once your header is correct.
Do I need HTTPS on a brochure site with no logins?
Yes. Browsers warn users regardless of content, ISPs inject ads into HTTP responses, and HTTP/2/3 require it. There is no legitimate reason to ship plain HTTP in 2026.
Does this affect AI search engines like ChatGPT and Perplexity?
Yes. AI crawlers (GPTBot, ChatGPT-User, PerplexityBot, ClaudeBot) preferentially fetch HTTPS pages and treat plain-HTTP responses as low-trust sources. When Chrome marks your site as "Not Secure," users bounce — and Google's AI Overviews tend to avoid citing pages with security warnings or mixed-content issues. Serving every page over HTTPS is the bare minimum for being eligible to appear in answers from ChatGPT, Perplexity, Claude, and Google AI Overviews.
Conclusion
HTTPS is the non-negotiable baseline for every website: it encrypts traffic, authenticates the server, unlocks modern browser features, and prevents the "Not Secure" warning that destroys user trust. With Let's Encrypt, automated renewal, and HSTS, there is no longer a technical or financial excuse to run plain HTTP in 2026. Run a Greadme deep scan to surface any HTTP-only resources, mixed-content warnings, or expired-certificate problems across your site.