It's important to have an SSL certificate these days if your site is to have any credibility.
Even if you do have a valid certificate in place, you may still find that a browser refuses to display the padlock. Different browsers have their own criteria and display the information in different ways, but we've generally moved from 'a padlock when the site is secure' to a clear 'site insecure' warning.
The image above illustrates this. The site does have a valid certificate in place. My two favourite browsers do both have developer tools which allow you to drill down and find the reason(s) for the warnings.
That's good for a single page that you know has a problem. But if you're a Scrutiny user, you want to be notified of any such problems on any page of your site.
Scrutiny has long had features to help you with migration to https://. It alerts you to old links to your http:// pages and pages which have mixed content. (images or linked files which are http://)
As mentioned above, browsers vary in their criteria for displaying the padlock. As from v9.8.0, Scrutiny makes additional checks / warnings:
The insecure content alert/report will now include:
- insecure urls found in certain meta tags, such as open graph or Twitter cards.
- insecure images, whether hosted internally or externally
- insecure form action urls, even if the 'check form action' is switched off.