How to force the SSL / HTTPS version of your website
Ideally, your website will load with a padlock in the address bar as seen here;
However, depending on how your website and SSL is configured, you may get any of the following alternate icons:
This guide will take you through making sure your website loads securely.
Using HTTPS, or forcing SSL
Solves:
If you have already added an SSL certificate to your domain, you can force all visits to your site to use HTTPS to ensure your traffic is secured. The easiest way to do this is to add a redirect from 'http://yourdomain.net.au' to 'https://yourdomain.net.au' whenever someone loads your page.
There are several different ways to do this depending on the CMS you're using, but the most universal are below:
Forcing HTTPS in Wordpress
Forcing HTTPS in Joomla
Adding a redirect manually to your .htaccess file.
Note: You can learn how to access your .htaccess file here.
To force visitors to your website to go to the SSL (HTTPS) page, add this code to the top of your .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
To force visitors to your site to use the non-SSL (HTTP) page, use this code in the top of your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You can use the tool Redirect Detective to test whether your redirect has been added successfully.
Removing Mixed Content
Solves:
If you already have an SSL Certificate and are using HTTPS but still get this message, your website may have Mixed Content. This is where the website itself is using HTTPS, but loads images or other resources using non-HTTPS links. Because not all of the site loads securely, browsers will not mark it as fully secure.
To resolve this, use Why No Padlock or Missing Padlock to check what parts of your site are loading insecurely. You can then contact your web developer to manually update the links to use HTTPS.
Installing a valid SSL
Solves:
If the certificate on your site is not valid, you will get a red "Not Secure" warning, as well as an error on the page with more information. If you click on Advanced you will get more information on the error. A few of the more common errors are included below.
NET::ERR_CERT_DATE_INVALID
This server could not prove that it is yourdomain.net.au; its security certificate expired 318 days ago.
>> As the message says, the certificate has expired. To resolve this, contact your SSL provider and renew the certificate. We have a guide on this here.
NET::ERR_CERT_AUTHORITY_INVALID
This server could not prove that it is yourdomain.net.au; its security certificate is not trusted by your computer's operating system.
>> This message indicates the certificate was not issued by a Certificate Signing Authority, and may be a self-signed certificate. To resolve this, you will need to install a valid and trusted certificate on the site. You can find information on our offerings here.
NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is yourdomain.net.au; its security certificate is from *.auserver.com.au
>> Your browser only found the server's certificate when looking for a certificate for your site. This indicates your site has no SSL Certificate. To resolve this, you will need to install a valid and trusted certificate on the site. You can find information on our offerings here.
For more information and tutorials on SSL Certificates, see our SSL Guide Repository.