It's Black Friday! Try hosting.com's Managed WordPress Hosting for just $1

Table of Contents

Office Hours Q&A: Why you still see "Site is Not Safe"
Written on by Konstantin Kolarov
Updated on
Estimated read time 5 minutes
Office HoursSecurity & SSL

Office Hours Q&A: Why you still see "Site is Not Safe"

Although it is rare nowadays, your browser may occasionally notify you that a site is not safe to view. The message looks something like this: "The connection to http://example.com is not secure." In such cases, it's usually best not to proceed to the website.

However, has it ever happened on a site that you own and you know should be secured? That is a question one of our wonderful viewers raised during the November 6, 2025, Office Hours livestream. In this blog post, we'll discuss it further and look at some solutions.

Why is my site still "Not Safe" even with HTTPS and Cloudflare?

During the livestream, a viewer asked why their site sometimes loads via HTTP and was therefore deemed "Not safe" by their browser. They elaborated that the site does have an SSL certificate installed (it's capable of HTTPS) and uses Cloudflare (with Always use HTTPS enabled).

Finally, the warning only appears on the first load, and after continuing to the site, it loads via HTTPS. It also happens on other unrelated sites. To sum up, this is what we know:

  • This happens only when the site loads for the first time.

  • An HTTP warning appears, but the page then loads via HTTPS.

  • It also occurs on other websites.

  • There is no VPN involved.

That can happen due to many different, but common reasons. While we don't know the exact setup our viewer is using, we can make a few educated guesses about what the issue might be.

The primary suspects

When a site doesn't load securely (via HTTPS), it's usually due to a missing SSL certificate. However, as you saw above, it has one, and there are also a few finer details that make this issue a bit more complex.

However, those details also help clarify the situation and help narrow down the cause of the issue. There are three main reasons this might be happening.

  1. No HSTS.

  2. Outdated device/browser certificates.

  3. Local antivirus/firewall is interfering with HTTPS.

Let's elaborate on each of them.

HTTP Strict Transport Security (HSTS) is not active

After learning that the warning appears only at first load, our initial thought was that the site (or all the unrelated sites) doesn't have HSTS enabled, which forces browsers to always connect to a website via HTTPS.

However, if HSTS is not enabled, the browser's first attempt may be HTTP, even if the site has an SSL certificate. When you proceed to the site, though, the browser will remember that a secure connection is possible, which is why it doesn't happen on consecutive loads.

To learn more about how to enable HSTS on an Apache/Litespeed server (which our hosting services use), check out our article on the topic. You can also do it from Cloudflare. Simply log in, select your website, then go to SSL/TLS > Edge Certificates, and you'll see the option to enable HSTS.

Device or browser issues

Because this issue occurs on multiple, unrelated sites, the culprit might be the device trying to access them, since that’s the common denominator here.

There are two likely reasons for this behavior, both related to the site not being updated. Here's what we mean.

  1. A few years ago, Let's Encrypt (one of the most trusted and used Certificate Authorities) retired its old root certificate. That caused older operating systems, such as early versions of Windows 7, to lack access to the modern root certificate. Since they don't recognise the new one, they flag it as potentially unsafe.

  2. On the other hand, stale system or browser certificate stores can also cause such a mismatch. If a device hasn't been updated in a long time, it won't have the newest trusted Certificate Authorities. The result? HTTP warnings like like the one referenced during Office Hours.

Our recommendation here is straightforward. Try accessing the affected website from an up-to-date device and see if the result is the same.

Antivirus or firewall issues

Our final major guess is that the user's security program or firewall could be interfering with the connection. Security software often offers a feature that scans HTTPS traffic for any malicious data.

However, if your antivirus software or firewall rules are outdated, corrupted, installed incorrectly, or conflicting with another similar program, you may see the ‘Connection is not secure’ warning in your browser.

The easiest way to test this is to temporarily disable the HTTPS scanning feature (or the entire program altogether) and try again.

A few more things to check

We want to mention a few additional factors that can cause an HTTP warning to appear in your browser. While not likely causes for our viewer's specific situation, they are still something to keep in mind when troubleshooting.

  • Cloudflare SSL mode mismatch: Unless there is a good reason not to, your Cloudflare SSL Encryption mode should always be set to Full (Strict). However, if it was ever set to Flexible, your browser may be remembering that instead.

  • Origin misconfigured: Even if your Cloudflare is set to Full (Strict), you'll see the warning if the origin certificate (the one on your website's server) is misconfigured. That includes cases where it has expired, is missing a hostname, or is self-signed. Full (Strict) requires a valid, non-expired SSL certificate that covers the correct hostname (domain name).

  • Mixed content: Had we not had any of the details provided by the viewer, this would have been our first guess. Even if your site is set to load via HTTPS, if any of the resources on the page load via HTTP, then you will see the browser warning. Check the console in your browser for any Mixed Content errors, and ensure all linked resources load over HTTPS.

  • Incorrect redirects: Finally, if you are using redirects on your website, and they are not configured correctly, the browser may get a non-secure response during these redirects. As you can imagine, it will display a warning when that happens. Check your redirects to ensure they direct traffic to the intended destination.

And even if none of these four are the culprit here, it's still a good idea to keep an eye out for them in general.

We do have one final suggestion that's always great to remember: it might all be a caching issue. Simply hard refresh the page (Ctrl+f5 on Chrome), or try accessing it from a different browser, device, or network if possible. You could also use incognito mode and/or purge the Cloudflare cache.

Final thoughts

With the clues our viewer provided, the most likely culprits are disabled HSTS, an outdated device or browser, or a firewall/antivirus program interfering with the connection.

If you ever encounter a warning like “Your connection to this site is not secure” on your website hosted with us and you’d like a hand troubleshooting, please don't hesitate to contact our support team. They are available at any time of the day, any day of the week, and are always ready to assist.
And if you have a similar question, or any question regarding running an agency, a tricky client issue, or hosting, register for Office Hours and have it answered live.

Konstantin is a content writer for hosting.com with a strong foundation in web hosting and tech support. After several years of dedicated customer assistance, helping websites stay online and secure, he now brings clarity and creativity to the complex world of digital infrastructure. His writing combines real-world technical knowledge with a knack for making complex topics accessible.

View more posts by Konstantin Kolarov