Skip to content
Learn Measure Blog Case studies About
On this page
  • How the Lighthouse HTTPS audit fails
  • How to migrate your site to HTTPS
  • Resources

Does not use HTTPS

May 4, 2019 — Updated Apr 29, 2020
Available in: Español, Português, English
Appears in: Best Practices audits|PWA audits
On this page
  • How the Lighthouse HTTPS audit fails
  • How to migrate your site to HTTPS
  • Resources

All websites should be protected with HTTPS, even ones that don't handle sensitive data. HTTPS prevents intruders from tampering with or passively listening in on the communications between your site and your users.

A page can't qualify as a Progressive Web App (PWA) if it doesn't run on HTTPS; many core PWA technologies, such as service workers, require HTTPS.

For more information about why all sites should be protected with HTTPS, see Why HTTPS Matters.

How the Lighthouse HTTPS audit fails #

Lighthouse flags pages that aren't on HTTPS:

Lighthouse audit showing page isn't on HTTPS

Lighthouse waits for an event from the Chrome Remote Debugging Protocol indicating that the page is running on a secure connection. If the event isn't heard within 10 seconds, the audit fails.

In the Lighthouse report UI the full PWA badge is given when you pass all of the audits in all of the PWA subcategories (Fast and reliable, Installable, and PWA optimized).

How to migrate your site to HTTPS #

Consider hosting your site on a CDN. Most CDNs are secure by default.

To learn how to enable HTTPS on your servers, see Google's Enabling HTTPS on Your Servers. If you're running your own server and need a cheap and easy way to generate certificates, Let's Encrypt is a good option.

If your page is already running on HTTPS but you're failing this audit, you may have problems with mixed content. A page has mixed content when the page itself is loaded over HTTPS, but it requests an unprotected (HTTP) resource. Check out the following doc on the Chrome DevTools Security panel to learn how to debug these situations: Understand Security Issues With Chrome DevTools.

Resources #

  • Source code for Does not use HTTPS audit
  • Why You Should Always Use HTTPS
  • Enabling HTTPS on Your Servers
  • Understand Security Issues With Chrome DevTools
  • What Is Mixed Content?
  • Let's Encrypt
Last updated: Apr 29, 2020 — Improve article
Return to all articles
Share
subscribe

Contribute

  • File a bug
  • View source

Related content

  • developer.chrome.com
  • Chrome updates
  • Web Fundamentals
  • Case studies
  • Podcasts
  • Shows

Connect

  • Twitter
  • YouTube
  • Google Developers
  • Chrome
  • Firebase
  • Google Cloud Platform
  • All products
  • Terms & Privacy
  • Community Guidelines

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies.