Does not use HTTPS

All sites should be protected with HTTPS, even ones that don't handle sensitive data. This includes avoiding mixed content, where some resources are loaded over HTTP despite the initial request being served over HTTPS. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users, and is a prerequisite for HTTP/2 and many new web platform APIs.

For more information about why all sites should be protected with HTTPS, see Why HTTPS Matters.

How the Lighthouse HTTPS audit fails

Lighthouse flags pages that aren't on HTTPS:

Lighthouse audit showing page isn't on HTTPS

How to migrate your site to HTTPS

Consider hosting your site on a CDN. Most CDNs are secure by default.

To learn how to enable HTTPS on your servers, see Google's Enabling HTTPS on Your Servers. If you're running your own server and need a cheap and easy way to generate certificates, Let's Encrypt is a good option.

If your page is already running on HTTPS but you're failing this audit, you may have problems with mixed content. A page has mixed content when the page itself is loaded over HTTPS, but it requests an unprotected (HTTP) resource. Check out the following doc on the Chrome DevTools Security panel to learn how to debug these situations: Understand Security Issues With Chrome DevTools.

Resources