Why isn't my site secured?

Still not seeing your fully secured domain in the browser after successfully activating the DV SSL and setting up automatic redirection to the HTTPS protocol?
 
In such a case, some part of the website might be loaded over the unsecured HTTP protocol, such as images, JavaScript files, or others.
In browsers, you may see these security-related warnings:
 

Security Warning in Browsers

 

For the fully secure padlock to appear, all parts of the website must be loaded over the HTTPS protocol.
 
To determine which content or links are not being loaded over HTTPS, you can use various offline or online tools.
 
On the website https://www.whynopadlock.com/, you can enter your secure page into the "Secure Address" field and start the check with "Test Page":
 

Testing HTTPS on Why No Padlock

 
 
After completing the test, you will see information about the HTTPS and SSL certificate settings. Below this, you will see "Mixed Content - Errors" highlighted in red:
 

Test Results on Why No Padlock

 
 
The summary will show the parts of your website that are not loaded over HTTPS.

Based on these results, you can make the necessary changes in your website content.

Usually, it is enough to add the letter "s" to the HTTP protocol in the source code of the page or template, as shown below to fix the first error "Hard Failure":
 
Hard Failure:

        <script src="http://http.badssl.com/test/imported.js"></script>

        Fixed Error:

        <script src="https://http.badssl.com/test/imported.js"></script>
 

This issue can also be resolved using the HTTP header Content-Security-Policy: "upgrade-insecure-requests;". This header ensures that files are loaded over the HTTPS protocol, so it is no longer necessary to modify the website content.

You insert the header into the .htaccess file located in the root directory of the website (/www) on your FTP account. If the web hosting runs on a Linux server: 

Header set Content-Security-Policy: "upgrade-insecure-requests;"
For web hosting on Windows OS, insert the following content into the configuration file named web.config, also located in the root directory (/www): 

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="upgrade-insecure-requests" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>
    

If you are linking to content outside of your website, that content must also be available via the HTTPS protocol.