If you’ve tried to turn your website into a Progressive Web App (PWA) using PWABuilder and ran into the dreaded error:
“You do not have a secure HTTPS server”
—you’re not alone.
This error can stop your PWA in its tracks. But don’t worry—this blog post will break down the causes, explain why it matters, and most importantly, show you step-by-step how to fix it.
What This Error Means
When PWABuilder analyzes your website to generate a PWA package (for Android, Windows, etc.), it checks your HTTPS setup.
If your site fails basic HTTPS security checks, you’ll see this error along with a few more detailed messages:
Common Issues Reported by PWABuilder:
- Does not use HTTPS
Your site is only accessible viahttp://
, nothttps://
. - Uses mixed content on page or HTTP redirect on loads
Some of your page assets (images, scripts, stylesheets) are being loaded over HTTP. - Does not have a valid SSL certificate
Your SSL certificate may be missing, expired, self-signed, or invalid.
Why HTTPS Is Mandatory for PWAs
PWAs rely on modern browser APIs—like service workers, caching, and push notifications—which are only available on secure origins (i.e., HTTPS).
Without HTTPS:
- Browsers block these APIs.
- Users will see security warnings.
- Your app cannot be installed on devices.
- PWABuilder refuses to package your app.
Even if your site is just a static page, HTTPS is non-negotiable.
Step-by-Step Fix Guide
Here’s how to fix each of the issues reported:
1. Enable HTTPS on Your Server
You need to serve your site over https://
. If you’re using common hosting providers (like Netlify, Vercel, Firebase, etc.), HTTPS is usually enabled by default.
If you manage your own server (Apache or Nginx):
- Use Let’s Encrypt to get a free SSL certificate.
- Install the certificate and configure your server to redirect all traffic to HTTPS.
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx
2. Fix Mixed Content
Mixed content means you’re loading some resources (images, fonts, JS, etc.) over http://
on an https://
page.
How to fix:
- Open your site in a browser and check the dev tools (F12 → Console).
- Look for warnings like:
Mixed Content: The page at 'https://yoursite.com' was loaded over HTTPS, but requested an insecure image 'http://...'.
- Change all
http://
URLs in your HTML, CSS, and JS tohttps://
.
Pro tip: Use relative URLs like //cdn.example.com/lib.js
or /images/logo.png
to avoid hardcoding HTTP.
3. Install a Valid L Certificate
Even if your site uses HTTPS, PWABuilder will fail if:
- Your certificate is self-signed
- Enter your site URL and re-analyze it.
If everything’s correct, the HTTPS-related errors should be gone.
Bonus Tip: Use Online Tools to Validate
Use these tools to double-check your HTTPS setup:
- SSL Labs Test – deep analysis of your SSL certificate and server config
- Why No Padlock? – helps find mixed content
- Security Headers – check your security-related HTTP headers
Summary
To package your site as a PWA using PWABuilder, you must have a secure HTTPS setup. This includes:
- A valid SSL certificate
- No mixed content
- Redirects from HTTP to HTTPS
Not setting this up properly will block key PWA features and prevent packaging.
Once you fix the issues, your PWA will be installable, secure, and ready for users.
Related Resources
- askfullstack – Community for full stack developers
- wwebhub – Articles and tools for building secure web applications
Have questions or need help with your HTTPS setup? Drop a comment below or reach out through the contact page.
Happy coding and stay secure!