htmlhttpssafarissl-certificateweb-deployment

why is safari the only browser flagging my https website as not secure


I recently created a website for my client's business. We bought and setup an OV SSL certificate from GoDaddy, the same platform we're hosting on. But for some reason, Safari is flagging the whole site as not secure, whilst Chrome and Edge are saying its secure. All the links on the website have an HTTPS prefix and all the images are hosted on the server. Its only a small website advertising his business, its got about 5 pages. Why is Safari flagging the site as not secure? Please help.


Solution

  • Browsers auto-complete the URL schema when an address or hostname is typed in. Currently, there are some browsers auto-completing to https://, while some still autocomplete to http://. The latter seems to be the case with Safari.

    So actually, Safari is marking your http website as unsecure, which is as expected.

    For several years now browser vendors have been transitioning to encryption by default, taking increasingly strict measures to do so, like connecting on https by default.

    The HSTS preload list also specifies which hosts should be connected to on secure connections only. Safari will probably autocomplete the URL with https:// if the typed in hostname can be found in that list.


    A website usually can be reached on both schemes when a certificate is installed. So one would add a 301 redirect from http to https to force every one to use the encrypted connection. This redirect is missing in your configuration. Often, it can be activated with a simple checkbox in the web hoster’s configuration pages.

    It is best practice to preserve all other parts of the request during the redirect, except the schema, so that existing links still work. e.g. http://example.com/test.html would redirect to https://example.com/test.html