Installing an SSL certificate is only the first step in securing a website. Even with a valid certificate, browsers may still display a “Not Secure” warning if visitors access the site using the insecure http:// protocol instead of https://. To resolve this, you must configure your server to automatically redirect all traffic to the secure version.
This guide explains why these warnings occur and how to force HTTPS redirects using cPanel, manual server configuration, and Cloudflare.
Browsers mark HTTP sites as "Not Secure" to warn users that the connection is not encrypted, which can negatively impact visitor trust and search engine rankings.
The "Not Secure" warning typically appears because the website does not have an SSL certificate installed, or the browser is loading the HTTP version of the site. Even if an SSL is installed, visitors might type http:// or follow an old link, landing them on the unencrypted version.
Another common cause is "mixed content." This happens when a secure HTTPS page loads specific resources—such as images, scripts, or embeds—over an insecure HTTP connection.
A single insecure image or script is enough to trigger a warning, even if the rest of the website is secure.
The easiest way to enforce security is through the cPanel interface. cPanel includes a built-in feature that updates the web server configuration automatically.
Navigate to the Domains interface in cPanel. Look for the option labeled Force HTTPS Redirection. Toggle the switch to "On". This directs the server to automatically redirect any visitor trying to access the insecure version to the secure HTTPS version.
This feature updates the account's user data files and the domain's virtual host configuration, removing the need for manual code edits.
If the cPanel toggle is unavailable, you can manually force a redirect by editing the .htaccess file in your website’s root directory (usually public_html).
Open the file using the cPanel File Manager and add the following code to the top of the file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code checks if HTTPS is "off" and, if so, redirects the user to the HTTPS version using a 301 (Permanent) Redirect.
Incorrectly editing the .htaccess file can break your website. Ensure you access the correct file in the root directory and input the code exactly as shown.
If your site uses Cloudflare, you can handle redirects at the network edge without touching your server files.
Log in to the Cloudflare dashboard and navigate to the SSL/TLS app, then select Edge Certificates. Scroll down to the Always Use HTTPS setting and switch it to "On". This will redirect all visitor requests from http to https for all subdomains and hosts.
Ensure your SSL/TLS encryption mode is not set to "Off" before enabling this feature, or the option may not be visible.
For higher security, you can implement HTTP Strict Transport Security (HSTS). This mechanism allows a web server to declare that browsers should only interact with it using secure HTTPS connections, even if a user tries to access via HTTP.
HSTS helps prevent "man-in-the-middle" attacks and protocol downgrades. It is communicated via a specific header, Strict-Transport-Security, which specifies a time period during which the browser must refuse non-secure connections.
HSTS protection applies only after a user has visited the site at least once. However, if your certificate expires or becomes invalid, HSTS will prevent users from clicking through the warning to access your site.
Mixed Content A scenario where a secure HTTPS page contains resources (like images or scripts) loaded over an insecure HTTP connection.
301 Redirect A status code indicating that a page has moved permanently. This is the recommended method for SEO as it transfers ranking power to the HTTPS URL.
HSTS (HTTP Strict Transport Security) A policy that forces browsers to use HTTPS automatically, preventing access via HTTP entirely.
Installing an SSL certificate is not enough; you must force the browser to use it.
You can enforce HTTPS easily using the Force HTTPS Redirection toggle in cPanel, by adding a redirect rule to your .htaccess file, or by enabling
Always Use HTTPS in Cloudflare. To fix "Not Secure" warnings fully, you must also ensure no mixed content (insecure images or scripts) remains on your pages.
A secure website communicates responsibility.