Still Think “Not Secure” Is No Big Deal?

Google officially flagged non-HTTPS sites as “Not Secure” back in 2018, yet many organizations still ignore this critical security warning. A “Not Secure” label means the website lacks encryption, exposing user data to interception, manipulation, and theft. For CISOs, executives, and security professionals, ignoring this is negligence—opening the door to breaches, compliance violations, and reputational damage.

You Should Know:

How to Check if a Site Uses HTTPS
Run this command in Linux to verify HTTPS enforcement:
```
curl -I https://example.com | grep "HTTP/"
```

Expected output:

[/bash]

HTTP/2 200


<ol>
<li>Enforce HTTPS on Apache/Nginx 
Apache: 
[bash]
<VirtualHost :80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>

Nginx:

server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}

3. Test SSL/TLS Configuration

Use `openssl` to check certificate validity:

openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates

4. HSTS (HTTP Strict Transport Security)

Add to your web server config to force HTTPS:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

5. Automate Certificate Renewal (Let’s Encrypt)

sudo certbot renew --dry-run

6. Detect Mixed Content Issues

Use browser DevTools (`F12` > Security tab) or:

grep -r "http://" /var/www/html/

7. Disable Weak Ciphers

OpenSSL hardening (Nginx):

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

8. Monitor for Certificate Expiry

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

What Undercode Say

Ignoring HTTPS is like leaving your front door unlocked in a high-crime area. The risks—data breaches, MITM attacks, SEO penalties—far outweigh the minimal effort required to enforce encryption. Use tools like curl, openssl, and `certbot` to automate and verify security. If you’re still running HTTP-only services, you’re not just outdated—you’re a liability.

Expected Output:

[/bash]

HTTP/2 200

SSL certificate valid until: Dec 31 2025 23:59:59 GMT

No mixed content detected.

[bash]

Relevant URLs:
– Let’s Encrypt
– Mozilla SSL Config Generator

References:

Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

You Should Know:

Expected output:

HTTP/2 200

Nginx:

3. Test SSL/TLS Configuration

Use `openssl` to check certificate validity:

4. HSTS (HTTP Strict Transport Security)

5. Automate Certificate Renewal (Let’s Encrypt)

6. Detect Mixed Content Issues

Use browser DevTools (`F12` > Security tab) or:

7. Disable Weak Ciphers

OpenSSL hardening (Nginx):

8. Monitor for Certificate Expiry

What Undercode Say

Expected Output:

HTTP/2 200

No mixed content detected.

References:

Join Our Cyber World:

Related Posts: