Not Secure Website Fixes in Canada: My Website says Not Secure

If you open your business site and see a “Not Secure” label beside the web address, you’re not alone. Browser makers such as Google and Mozilla have pushed for encrypted connections for years, and modern versions of Chrome now mark every HTTP page as unsecure. That warning scares away visitors, undermines customer trust, and can even hurt your search engine rankings. In a country where e‑commerce continues to grow across provinces, from Halifax to Vancouver, no Canadian business can afford to ignore website security. 

This comprehensive guide explains what the “Not Secure” warning means, why it appears, and, most importantly, how to fix it.

Understanding the “Not Secure” Warning

What a Not Secure Website Means

When a browser shows “Not secure” next to a web address, it is warning you that the connection isn’t encrypted. HTTP websites aren’t secure because they transmit data in plain text. Attackers on the network can eavesdrop on login credentials, credit‑card numbers or contact forms. Google’s support page states that the Info or Not secure icon means a site doesn’t use a private connection and a third party may view or change the information you send and receive. Chrome will even show a red warning if the page is considered dangerous.

By contrast, HTTPS websites are secure. HTTPS stands for Hypertext Transfer Protocol Secure, which is simply HTTP combined with encryption via the SSL/TLS protocol. Encryption scrambles data using keys so that only the intended recipient can read it. Modern browsers display a padlock icon for HTTPS pages and may refuse to load sites that lack encryption. HTTPS uses asymmetric encryption, public keys to encrypt messages and a private key on the server to decrypt them. This prevents anyone watching the traffic from seeing passwords or payment information. Without HTTPS, attackers can sniff traffic, inject unwanted ads or malware and perform “man‑in‑the‑middle” attacks.

Why Browsers Show “Not Secure”

Historically, browsers only required encryption on pages that handled credit‑card transactions. However, because unencrypted pages are vulnerable, Chrome announced in 2018 that it would mark all HTTP sites as “Not secure”. The goal is to make encryption the default. 

Google provides tools like Lighthouse to find mixed content (resources loaded over HTTP) and encourages developers to migrate entire sites to HTTPS. As a result, seeing “Not secure” means the page is served over HTTP or contains insecure elements such as images, scripts or stylesheets loaded through HTTP. Other causes include expired or misconfigured SSL certificates, incorrect domain settings or outdated browsers.

Why Securing Your Website Matters in Canada

Protecting Customer Data and Privacy

Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws require businesses to safeguard personal information. When a site is marked “Not Secure,” any data transmitted, newsletter sign‑ups, contact forms or e‑commerce orders, can be intercepted. 

Sectigo, a trusted certificate authority, warns that HTTP allows data transfer in plaintext and is susceptible to man‑in‑the‑middle attacks. HTTPS adds encryption and authentication, ensuring that the browser is communicating with the legitimate server. Without HTTPS, users risk having their data read or modified, which could lead to identity theft or fraud.

Maintaining Trust and SEO Rankings

Visitors often abandon sites that show the “Not secure” label. Google uses HTTPS as a ranking factor for search results. Sites without HTTPS may rank lower on search engine results pages (SERPs), hurting visibility. In Canada’s competitive digital landscape, where local businesses compete with national retailers, losing organic traffic can impact revenue. 

Moreover, modern browser features, push notifications, geolocation, web payments and progressive web apps, require HTTPS. Without a secure connection you miss out on these technologies.

Complying With Government and Industry Requirements

Many Canadian industries must comply with specific security standards. For example:

• E‑commerce and Payment Card Industry (PCI DSS) regulations require merchants to use encrypted connections when handling cardholder data.
• Health‑care providers must protect patient data under provincial health privacy laws.
• Government agencies and contractors must follow the Directive on Security of Government Contracts, which mandates secure communication channels.

Failing to secure a website exposes your organization to fines, reputational damage and legal liability. Fortunately, the fix is straightforward once you understand the components.

How to Fix a Not Secure Website

Step 1: Obtain an SSL/TLS Certificate

An SSL certificate is a digital document issued by a Certificate Authority (CA). It binds a cryptographic key to your domain and company identity. When a browser connects to your website, the server presents its certificate as proof that it is who it claims to be. Without a certificate, the browser cannot establish a secure connection and will display the “Not secure” warning. 

Types of certificates:

• DV (Domain Validation): Confirms that you control the domain. Suitable for small blogs or portfolios.
• OV (Organization Validation): Includes business verification. Recommended for companies that collect customer information.
• EV (Extended Validation): Provides the highest level of assurance, displaying your company name in the address bar. Ideal for banks or large e‑commerce sites.
• Wildcard and multi‑domain certificates: Cover many subdomains or multiple domain names.

Free vs Paid Certificates

The popular nonprofit Let’s Encrypt offers free DV certificates and has helped millions of websites migrate to HTTPS. Paid certificates from CAs such as Sectigo, DigiCert, GlobalSign or Canadian providers may include warranties, technical support and extended validation. The choice depends on your budget and the level of trust you need.

Step 2: Generate and Install the Certificate

Most hosting providers simplify certificate installation. Here’s a general process (it may vary slightly depending on your platform):

1. Purchase or request a certificate from your CA or hosting provider.
2. Generate a Certificate Signing Request (CSR) using your server’s control panel or command line. This step creates the public/private key pair and includes your domain information.
3. Submit the CSR to the CA and complete domain/organization validation. Once approved, the CA will issue the certificate files.
4. Install the certificate on your server. In many cPanel or Plesk environments you can upload the certificate and private key via the interface. For WordPress, you can use plugins like Really Simple SSL.
5. Automate renewals. SSL certificates expire (often annually or after 90 days for Let’s Encrypt), so set up auto‑renewal or reminders. 

Step 3: Update Your Website to Use HTTPS Everywhere

Installing a certificate is only the first step. You must ensure that all resources on your site load via HTTPS; otherwise, browsers will still show warnings for mixed content. Here are several tasks that help with the transition:

• Update internal and external links. Convert all site URLs (navigation menus, images, CSS, JavaScript) from http:// to https://. Many content management systems (CMS) have global search‑and‑replace tools.
• Redirect HTTP to HTTPS. Configure 301 redirects in your .htaccess (Apache), nginx.conf (Nginx) or server settings to send all HTTP traffic to HTTPS. This ensures users and search engines always land on the secure version.
• Update the XML sitemap and robots.txt. Google uses sitemaps as a roadmap of your site. Make sure the sitemap lists only HTTPS URLs, then submit it through Google Search Console.
• Set the preferred domain to HTTPS in Google Search Console. Verify both the HTTP and HTTPS versions of your domain, then select the secure version as canonical.
• Fix mixed content. Use developer tools or Lighthouse audits to find resources loaded over HTTP and update them. Browser errors will specify which files are insecure. Don’t forget fonts, analytics scripts and external APIs.
• Enable HSTS (HTTP Strict Transport Security). This response header tells browsers to always connect via HTTPS for a specified time. Adding HSTS reduces the risk of downgrade attacks.

Step 4: Verify and Test

After migration, test your website across browsers and devices. Here are some checks:

• Use SSL checking tools such as Qualys SSL Labs to ensure your certificate chain is valid.
• Open pages in Chrome, Firefox and Safari to verify that the padlock appears and no mixed content warnings show.
• Test forms, shopping carts and third‑party integrations (payment gateways, booking systems) to ensure they still work under HTTPS.
• Monitor site analytics to ensure traffic doesn’t drop because of broken links or misconfigured redirects.

Maintaining a secure website is an ongoing process. Schedule regular audits and renewals to ensure your Website not secure status never returns.

Choosing the Right SSL Provider for Canadian Businesses

Many Canadian businesses host their websites locally to comply with data‑sovereignty requirements. When selecting an SSL provider, consider the following factors:

1. Canadian data centers. Look for providers with servers in major cities like Toronto, Vancouver or Montréal. Local infrastructure reduces latency and may comply with provincial regulations.
2. Support hours. Choose a provider that offers support during Canadian business hours and in English and French.
3. Compatibility. Ensure the certificate is compatible with your hosting environment, some providers offer integrated solutions for cPanel, WordPress or Shopify.
4. Warranty and liability. Paid certificates often come with warranties to cover losses if encryption fails. Consider whether your business requires that extra assurance.

Beyond HTTPS: Additional Website Security Measures

Regular Software Updates

Keeping your CMS, plugins and server software updated is critical. Updates patch vulnerabilities that hackers exploit. Enable automatic updates or use a managed hosting service that handles updates for you.

Strong Passwords and Multi‑Factor Authentication

Use unique, complex passwords for your admin accounts. Enable multi‑factor authentication (MFA) to add an extra layer of protection. Many Canadian web hosts provide built-in MFA options.

Secure Hosting and Backups

Choose a reputable host that offers firewalls, intrusion detection and daily backups. Backups allow you to recover from hacks or server failures without losing data.

Web Application Firewalls (WAF)

A WAF monitors traffic and blocks malicious requests such as SQL injections or cross‑site scripting. Providers like Cloudflare, Sucuri and AWS Shield offer WAF services that integrate with Canadian servers.

Monitor for Malware

Use security scanners to detect malware or vulnerabilities. Tools such as Wordfence (for WordPress), Sucuri SiteCheck or Jetpack Scan can alert you when something is amiss.

Content Security Policy (CSP)

CSP is a browser header that restricts which domains can load scripts, images or other resources on your site. Implementing CSP reduces the risk of cross‑site scripting and data exfiltration.

Regular Audits and Penetration Testing

Schedule periodic security audits with a qualified professional. Penetration testing simulates real‑world attacks to identify weaknesses. Many Canadian cybersecurity firms specialize in audits compliant with local regulations.

Seasonal Considerations and Local Context

High‑Traffic Seasons in Canada

Canadian e‑commerce experiences seasonal peaks during Boxing Day, Black Friday, Canada Day and Holiday sales. A not secure website during these periods can result in lost revenue and reputational damage. Plan certificate renewals and site upgrades well before busy seasons. Use the slower summer months to test changes.

Regional Domain Extensions and Local SEO

If your business serves specific provinces, say, a ski resort in Banff or a boutique in Toronto, you can use regional domains like .ca, .qc.ca or .bc.ca. Search engines favour local domains when users search within Canada. However, even these domains need SSL certificates. Many local registrars bundle certificates when you register a .ca domain.

PIPEDA and Provincial Laws

Under PIPEDA, organizations must implement reasonable security safeguards. Some provinces, such as British Columbia, Alberta and Québec, have additional privacy laws. Ensure your privacy policy and terms reflect how you protect customer data through encryption and secure storage.

Quick FAQs (FAQs)

Disclaimer: The information provided in this blog is for general informational purposes only. For professional assistance and advice, please contact experts.