You Do Not Have a Secure HTTPS Server" Error When Using PWABuilder: Full Guide to Fix It

If you’ve tried to turn your website into a Progressive Web App (PWA) using PWABuilder and ran into the dreaded error:

“You do not have a secure HTTPS server”

—you’re not alone.

This error can stop your PWA in its tracks. But don’t worry—this blog post will break down the causes, explain why it matters, and most importantly, show you step-by-step how to fix it.


What This Error Means

When PWABuilder analyzes your website to generate a PWA package (for Android, Windows, etc.), it checks your HTTPS setup.

If your site fails basic HTTPS security checks, you’ll see this error along with a few more detailed messages:

Common Issues Reported by PWABuilder:

  1. Does not use HTTPS
    Your site is only accessible via http://, not https://.
  2. Uses mixed content on page or HTTP redirect on loads
    Some of your page assets (images, scripts, stylesheets) are being loaded over HTTP.
  3. Does not have a valid SSL certificate
    Your SSL certificate may be missing, expired, self-signed, or invalid.

Why HTTPS Is Mandatory for PWAs

PWAs rely on modern browser APIs—like service workers, caching, and push notifications—which are only available on secure origins (i.e., HTTPS).

Without HTTPS:

  • Browsers block these APIs.
  • Users will see security warnings.
  • Your app cannot be installed on devices.
  • PWABuilder refuses to package your app.

Even if your site is just a static page, HTTPS is non-negotiable.


Step-by-Step Fix Guide

Here’s how to fix each of the issues reported:


1. Enable HTTPS on Your Server

You need to serve your site over https://. If you’re using common hosting providers (like Netlify, Vercel, Firebase, etc.), HTTPS is usually enabled by default.

If you manage your own server (Apache or Nginx):

  • Use Let’s Encrypt to get a free SSL certificate.
  • Install the certificate and configure your server to redirect all traffic to HTTPS.
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx

2. Fix Mixed Content

Mixed content means you’re loading some resources (images, fonts, JS, etc.) over http:// on an https:// page.

How to fix:

  • Open your site in a browser and check the dev tools (F12 → Console).
  • Look for warnings like:
    Mixed Content: The page at 'https://yoursite.com' was loaded over HTTPS, but requested an insecure image 'http://...'.
  • Change all http:// URLs in your HTML, CSS, and JS to https://.

Pro tip: Use relative URLs like //cdn.example.com/lib.js or /images/logo.png to avoid hardcoding HTTP.


3. Install a Valid L Certificate

Even if your site uses HTTPS, PWABuilder will fail if:

  • Your certificate is self-signed
  1. Enter your site URL and re-analyze it.

If everything’s correct, the HTTPS-related errors should be gone.


Bonus Tip: Use Online Tools to Validate

Use these tools to double-check your HTTPS setup:

  • SSL Labs Test – deep analysis of your SSL certificate and server config
  • Why No Padlock? – helps find mixed content
  • Security Headers – check your security-related HTTP headers

Summary

To package your site as a PWA using PWABuilder, you must have a secure HTTPS setup. This includes:

  • A valid SSL certificate
  • No mixed content
  • Redirects from HTTP to HTTPS

Not setting this up properly will block key PWA features and prevent packaging.

Once you fix the issues, your PWA will be installable, secure, and ready for users.


Related Resources

  • askfullstack – Community for full stack developers
  • wwebhub – Articles and tools for building secure web applications

Have questions or need help with your HTTPS setup? Drop a comment below or reach out through the contact page.

Happy coding and stay secure!