Practical Security Guides For Your Team

Your website is using a security certificate that you issued yourself, rather than one verified by a trusted third party. Think of it like a business putting up its own 'health and safety approved' sign instead of getting an official inspection — visitors and browsers have no way to confirm the certificate is genuine. Modern browsers will show a security warning to anyone who visits, which can drive customers away.

Your website's security certificate has expired. This certificate is what tells browsers your site is safe and keeps data encrypted between your site and your visitors. Right now, anyone visiting your site is likely seeing a full-screen warning saying 'Your connection is not private' — and most people will leave immediately rather than click through.

Your Windows server may be missing a critical security patch from 2014 known as 'WinShock'. This flaw exists in the part of Windows that handles encrypted connections (HTTPS), and an attacker could exploit it to take complete control of your server — without needing a username or password. If this patch is missing, your server is exposed to one of the most severe Windows vulnerabilities ever discovered.

Your web server is compressing responses using gzip or Brotli, which is a common performance feature. However, a known attack technique called BREACH can exploit this compression to gradually piece together sensitive data — like login tokens or session cookies — from your encrypted traffic. Importantly, this only becomes a real risk if your site also reflects user input and serves secrets (like security tokens) in the same page response.

Your website can be visited over plain HTTP (unencrypted), and it doesn't automatically send visitors to the secure HTTPS version. Any user who lands on an HTTP link — from an old email, a bookmark, or a mistyped URL — will have their connection left unprotected. Think of it like a shop that has a secure back entrance but leaves the front door unlocked with no sign pointing visitors to the right way in.

Your server still supports TLS 1.0, an old encryption standard from 1999 that has a known weakness called BEAST. Think of it like a lock on your front door that was recalled years ago — it still works most of the time, but security experts have shown it can be picked under the right conditions. Modern browsers and servers have largely worked around this flaw on their end, but the safest fix is to retire the old protocol on your server entirely.

Your website is missing a small but important instruction it should send to browsers — one that tells them to always use a secure, encrypted connection. Without it, browsers may occasionally connect over an unencrypted channel, and there is no browser-level safeguard to prevent that from happening. Think of it like a lock on your front door: your HTTPS certificate is the lock, but this header is the sign that tells visitors to always use the locked entrance.