Check your SSL certificate in seconds

SiteCurl checks if your site loads over HTTPS and if the SSL certificate is valid. It verifies that the certificate has not expired, that the domain name matches, and that the connection is secure. Sites that fail show a browser warning that stops most visitors from getting in.

The check also looks for HSTS (HTTP Strict Transport Security), which forces browsers to always use HTTPS. Without HSTS, the first visit may go over plain HTTP before the redirect kicks in. That gap is enough for an attacker on the same network.

SiteCurl reports whether HTTPS is enforced, the certificate status, and whether HSTS is present. Each finding tells you what to fix and why.

Here is what happens when a cert expires. A visitor types your URL. The browser tries to connect. Instead of your site, they see a full-page warning. Chrome says 'Your connection is not private.' Firefox says 'Warning: Risk Ahead.' Both force the visitor to click past many steps to get through. Almost no one does.

The timing makes this risky. Certs have expiry dates: 90 days for Let's Encrypt, one year for paid ones. Most hosts renew them on their own. But auto-renewal can fail with no warning. A DNS change, a lapsed hosting plan, or an email issue can all stop it. You will not know until visitors start leaving.

The second issue is HTTPS use. Having a cert is not the same as using it. If your site still responds to HTTP (no S), visitors may reach the plain version. A redirect to HTTPS fixes this for browsers. HSTS goes one step further: it tells browsers to never try HTTP at all. Without HSTS, the first visit to your site has a brief window with no guard.

Cert issues are all or nothing. Your site either works or it does not. There is no partial state. When the SSL check fails, fix it first, then move to other checks.

Browsers show a full-page warning for bad or expired certificates. Most visitors will not click past it. An expired cert can drop a working site to near-zero traffic in minutes. This is not a gradual decline. It is an immediate, total block for every visitor.

HTTPS is also a ranking signal. Google confirmed it in 2014 and has increased its weight since. Sites without HTTPS rank lower than identical sites with it. For competitive search terms, the difference matters.

Beyond rankings, visitors look for the lock icon before they type in personal details. Contact forms, checkout pages, and login screens on HTTP sites feel unsafe. Even if the data is not intercepted, the perception of risk drives people away.

Online stores are hit hardest. An expired cert on a checkout page means zero sales until fixed. Payment tools like Stripe and PayPal will not load on a plain HTTP page at all.

Small businesses that set up their site once and leave it for months are the most likely to have cert issues. If the hosting plan lapses or the domain setup changes, auto-renewal can break with no notice.

Agencies that manage client sites need to track cert expiry across every domain. One expired cert on one client site looks bad for the agency. A monthly scan across all client sites catches these before they become urgent.

Step 1: Check your cert status. Run a SiteCurl scan or visit your site and click the lock icon in the address bar. It shows the issuer, domain, and expiry date.

Step 2: Renew an expired cert. Most hosts offer free SSL that renews on its own. Check the SSL settings in your hosting panel. Render, Netlify, Vercel, and cPanel hosts all use free Let's Encrypt certs. If auto-renewal failed, re-issue the cert by hand.

Step 3: Force HTTPS. Add a redirect from HTTP to HTTPS on your server. In Nginx, use return 301 https://$host$request_uri;. In Apache, use a rule in .htaccess. In Cloudflare, turn on 'Always Use HTTPS' in SSL/TLS settings.

Step 4: Add HSTS. Set the Strict-Transport-Security header with a max-age of at least 31536000 (one year). This tells browsers to skip HTTP on all future visits.

Step 5: Test your subdomains. If you use blog.yoursite.com or app.yoursite.com, each one needs a valid cert. A wildcard cert covers them all. Without one, each subdomain needs its own cert.

Thinking auto-renewal always works. It does, until it does not. DNS changes, email issues, or a lapsed hosting plan can all break it. Check the expiry date after any hosting or domain change.

Adding HSTS before fixing mixed content. HSTS forces all traffic to HTTPS. If your pages still load images or scripts over HTTP, those files will break. Fix mixed content first, then turn on HSTS.

Using a cert for the wrong domain. A cert for www.yoursite.com does not cover yoursite.com (without www) unless it is a wildcard or multi-domain cert. Visitors who type the bare domain will see a warning.

Setting HSTS max-age too short. A max-age of 300 (5 minutes) does almost nothing. Use at least 31536000 (one year). Once HTTPS works on all pages, add includeSubDomains and look into HSTS preloading.

After your changes, run another SiteCurl scan to check that the SSL check passes. You can also test by hand: open your site in Chrome, click the lock icon, and check the cert is valid and not expiring soon.

For HSTS, check your headers with curl -sI https://yoursite.com | grep -i strict. You should see Strict-Transport-Security: max-age=31536000 or higher. If it is missing, the header was not set on your server.

Test the redirect by going to http://yoursite.com (no S). It should send you to the HTTPS version. If it loads the HTTP version, the redirect is not in place.

SSL is the first thing browsers check. A missing or expired certificate shows a full-page warning that stops most visitors from going further. It also tells search engines your site is not safe to list. Fix SSL first, then move on to other checks.