technical

HTTPS on your site

MetricSpot checks that your site is served over HTTPS. Sites without it are flagged 'Not secure' in browsers and lose ranking weight in Google.

What this check does

Loads your page and confirms it was served over https:// rather than http://. If your site only answers on HTTP, or if HTTPS is misconfigured, this check fails.

Why it matters

HTTPS is a baseline browser requirement, not an optimization. Three direct consequences when it’s missing:

  • Browsers warn users. Chrome, Firefox, Safari, and Edge all show a “Not secure” indicator on HTTP pages with input fields. Form submissions display a full-page warning. Many visitors leave instead of clicking through.
  • Google uses HTTPS as a lightweight ranking signal and has done so since 2014. AI crawlers (ChatGPT, Perplexity, Google AI Overviews) treat non-HTTPS sites as lower trust and may skip them.
  • No HTTP/2 or HTTP/3. Both protocols require TLS in practice, which means HTTP-only sites also lose the page-speed gains modern HTTP versions provide.

How to fix it

Issue a free certificate from Let’s Encrypt and configure your web server to serve https:// for every URL.

nginx with Certbot:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot edits your nginx config, installs the certificate, and sets up auto-renewal via systemd timer.

Caddy auto-provisions HTTPS — a one-line yourdomain.com { reverse_proxy ... } block in Caddyfile is enough.

Behind Cloudflare, switch SSL/TLS mode to Full (strict) and enable Always Use HTTPS under SSL/TLS → Edge Certificates. Cloudflare handles the certificate end-to-end.

After certificates are live, also fix HTTP to HTTPS redirects and HSTS — they pair with this check.

Frequently asked questions

Does HTTPS actually affect SEO rankings?

Yes, but it’s a tiebreaker, not a major factor. Google has been explicit since 2014 that HTTPS is a positive ranking signal. The bigger SEO cost is indirect: HTTP sites get higher bounce rates because of browser warnings.

Do I need to pay for a certificate?

No. Let’s Encrypt issues free 90-day certificates that auto-renew. Paid certificates (DigiCert, GoDaddy, etc.) offer warranties and extended-validation green-bar branding, but Google does not treat them as superior to Let’s Encrypt for ranking.

What about mixed content warnings?

If your HTTPS page loads any resource (image, script, CSS) over HTTP, browsers either block it or downgrade the lock icon. Search your codebase for http:// and replace with https:// or protocol-relative // URLs. Modern browsers auto-upgrade most mixed-content images to HTTPS, but scripts and iframes are blocked outright.

Sources

Last updated 2026-05-11