HTTPS is no longer a feature. It is baseline.
In 2026, any website without an SSL certificate is telling the visitor to leave — and the browser makes a point of underlining it.
Five years ago, selling a "site with SSL" was still a sales feature. The green padlock. The phrase "your site stays secure". Today, it is the bare minimum expected of a professional site, and not having it is no longer a technical oversight — it is a signal of negligence.
What the browser does without HTTPS
Chrome, Safari, Firefox, Edge: all show "Not secure" in the address bar of any HTTP page. Forms with sensitive inputs are blocked or trigger red warnings. On mobile, the warning takes the whole screen before the user can submit anything.
From the buyer's point of view: the visitor arrives, sees the warning, leaves. The product doesn't matter. Trust broke in three seconds.
Where HTTPS is already technically required
Service Workers (PWA, offline-first) only run on HTTPS. HTTP/2 and HTTP/3, too. Geolocation, camera, microphone, push notifications — all depend on a secure context. Modern web APIs generally refuse to run outside HTTPS.
In practice: any reasonably modern application needs HTTPS just to boot.
How much it costs
Zero. Let's Encrypt has been issuing free certificates with auto-renewal for almost a decade. Cloudflare offers flexible SSL for free. Any serious hosting in 2026 installs SSL with one click. There is no cost excuse — and frankly, no excuse at all.
What to verify now
- The main domain redirects HTTP to HTTPS automatically
- All subdomains (www, app, admin) also force HTTPS
- The certificate is valid in every browser and renews on its own
- HSTS is active (Strict-Transport-Security header)
- No mixed content — assets loading via HTTP inside an HTTPS page
If any of these fails, the problem is not cosmetic. It is operational.