transport-no-tls-at-all
Site is served without HTTPS
Your site is reachable only over plain HTTP. Every visitor's connection — login forms, form submissions, page contents — crosses the network in clear text where it can be read or altered.
What this means in plain English
Modern websites are normally served over HTTPS — the protocol behind the small lock icon next to the address. HTTPS encrypts the connection between your visitor’s browser and your server, so nobody on the network in between can read or change what’s transmitted.
Your site is reachable only over plain HTTP, the older protocol without that protection. Every page, every form, every login crosses the network in clear text. Browsers display “Not secure” in the address bar and warn users when they try to enter information.
Why it matters to your business
Without HTTPS, anyone with network access between your visitor and your server — a hostile public Wi-Fi, an internet provider, a corporate proxy, an attacker on a local network — can:
- Read everything. Including any password, contact-form message, search query, payment detail, or admin panel that loads.
- Change what your visitor sees. Inject malicious scripts, replace download links with infected files, redirect logins to a fake version of your site, swap prices on an e-commerce page, insert unwanted advertising. This has happened repeatedly on airport and hotel Wi-Fi networks for ad revenue alone.
- Steal session cookies and impersonate any logged-in user. Once the cookie is captured, the attacker doesn’t need a password — they just hold the session.
There’s no compensating control that helps. The only fix is real HTTPS at the connection level.
Browsers also penalise plain HTTP heavily for search ranking. Google has used HTTPS as a ranking signal since 2014, and Chrome marks HTTP-only sites as “Not secure” since 2018.
How to fix it
For a public website, switching to HTTPS is essentially free and largely automated. Whoever runs your hosting can do this:
- Get a TLS certificate from Let’s Encrypt — most hosting platforms (Netlify, Vercel, Cloudflare, IONOS, STRATO, Hetzner Cloud, AWS, Azure) offer one-click issuance from their control panel.
- Make sure both your apex domain and
wwwversion load over HTTPS with the same certificate. - Redirect all plain HTTP to HTTPS so anyone arriving on the old URL goes straight to the secure version. The HTTP-redirect article covers this in detail.
- Enable HSTS so browsers refuse to use plain HTTP for your domain at all. See our HSTS article.
- Set up automatic renewal. Let’s Encrypt certificates last 90 days; the auto-renewal handles this without any human attention, but it’s worth confirming it’s switched on. Forgetting renewal is one of the more common ways a site becomes unreachable.
Once it’s all in place, the free SSL Labs checker linked below grades your setup A or A+ for a properly configured server.
Further reading
- Let’s Encrypt — getting started — the most-used free certificate authority.
- SSL Labs server test — full grading of your HTTPS setup.
- Mozilla SSL Configuration Generator — produces server configuration for nginx, Apache, Caddy, and others.
- BSI guidance on TLS (German federal cybersecurity agency)