Does HTTPS mean a website is safe?

The padlock in your browser is one of the most misunderstood symbols online. Many people see it and assume the site is safe to buy from and honest to deal with. It does not mean that.

HTTPS tells you one specific thing: your connection to the site is encrypted. That is worth having, but it says nothing about who runs the site or whether they intend to treat you fairly. This guide explains what the padlock really tells you and what to check instead.

Check any website now

Paste an address for a free safety check: encryption, malware and phishing, domain age and more.

What the padlock actually means

HTTPS means the data travelling between your device and the website is encrypted, so someone on the same network cannot easily read your password or card number in transit. That is all it guarantees.

It does not confirm that the business is real, that the products exist, or that anyone will honour your order. The padlock is about the pipe your data travels through, not about the person at the other end of it.

What HTTPS does not tell you

Whether the business is honest

Encryption protects the connection, not your money. A scam shop can run on HTTPS just like a real one.

Who is behind the site

A standard certificate does not verify a company name or address. It only proves control of the domain.

Whether the site is safe from malware

An encrypted page can still host malware or a phishing form. HTTPS does not scan the content.

Whether the domain is genuine

Lookalike domains can hold a valid certificate too, so the padlock does not confirm you are on the real brand.

Why scammers have padlocks too

Certificates used to cost money and take effort. Today they are free and automatic through services such as Let's Encrypt, and a new site can have a valid certificate within minutes of going live. Scammers use these services just like everyone else.

That is why the padlock is now the norm rather than a mark of trust. There is also a common trap: because browsers show a "Not secure" warning on sites without HTTPS, people read the absence of that warning as a positive endorsement. It is not. A padlock only means the warning does not apply, not that the site earned your trust.

What to check instead

  1. 1.Run the site through our free safety check for encryption, malware and phishing flags, and domain age in one place.
  2. 2.Check how long the domain has existed. A site created days ago deserves more caution than one with a long history.
  3. 3.Search the business name along with the word "scam" or "review" and read what independent sources say.
  4. 4.Look for real contact details, a physical address, and clear returns and privacy policies.
  5. 5.If you decide to buy, use a payment method with buyer protection, such as a credit card or PayPal.

So is HTTPS worthless?

No. HTTPS is necessary, and its absence is a genuine red flag. If a site asks for a password or payment over a plain HTTP connection, do not enter anything, because your details could be read in transit. Ongoing SSL monitoring also helps site owners catch expired or broken certificates early.

The point is balance. Missing HTTPS is a reason to walk away, but present HTTPS proves very little on its own. Treat the padlock as the bare minimum, then judge the site on domain age, reviews, contact details and whether it is flagged for malware or phishing.

Frequently asked questions

Does the padlock mean a website is safe to buy from?

No. The padlock only means your connection to the site is encrypted. It says nothing about whether the business is real or honest, so you still need to check other signals before you buy.

Can a scam website have HTTPS and a padlock?

Yes. Certificates are free and automatic through services like Let's Encrypt, so scammers get them as easily as legitimate businesses. A padlock on a scam site is common.

Is a website without HTTPS dangerous?

A missing padlock is a real red flag, especially on any page that asks for a password or payment. Without encryption your details can be read in transit, so avoid entering sensitive information.

Why does my browser say "Not secure"?

That label appears when a site does not use HTTPS, so the connection is not encrypted. When the label is absent it simply means the connection is encrypted, not that the site itself is trustworthy.

How do I actually check if a website is safe?

Look at several signals together: domain age, independent reviews, real contact details, and whether the site is flagged for malware or phishing. A free safety check can gather the technical parts for you in seconds.

Related guides

Not sure about a site? Check it in seconds.

Free, anonymous, and no signup. Know before you buy.

Run a free safety check