HTTPS Adoption 2026: 98.6% of Human Traffic Is Encrypted

Live Cloudflare Radar data: 98.6% of human web traffic is HTTPS in 2026, but bot traffic is only 87.8%. Full 121-country breakdown, 2025 vs 2026.

Published 20 min read

HTTPS Adoption 2026: 98.6% of Human Traffic Is Encrypted
Share:

98.60% of human web traffic was HTTPS in 2026, up from 98.03% a year earlier, according to Cloudflare Radar data we pulled on 14 July 2026. Bot traffic is only 87.80% encrypted. That gap is what drags the widely quoted all-traffic HTTPS adoption figure down to 94.59%. The unencrypted web is mostly machines.

A huge closed padlock with a crack down its face and rust bleeding from the keyhole, small robots slipping through the gap

The lock is shut. That was never the whole question.

Key findings from our analysis:

  • 98.60% of human requests are HTTPS (2026), up from 98.03% in the matched 2025 window.
  • Bot traffic sits at 87.80%. It moved 5.12 points in a year, nine times faster than human traffic.
  • 94.59% is the all-traffic number most articles quote. It's an average of two very different populations.
  • HTTPS is not a wealth story. Nigeria (99.74%) and Turkmenistan (99.78%) top the table of 121 markets. Canada (96.89%) and Luxembourg (96.39%) sit near the bottom.
  • One market is a genuine outlier: China, at 86.79%. It gained 2.35 points year over year, and Cloudflare's own footprint there is thin.
  • Every published HTTPS statistic disagrees because each uses a different denominator: websites, page loads, or requests.
  • In our March 2026 crawl, 283,317 domains were serving a broken TLS certificate — encrypted, but wrong.

I pulled these numbers myself from the Cloudflare Radar REST API on 14 July 2026, using matched 28-day windows (16 June to 14 July) for 2025 and 2026 so the comparison isn't distorted by seasonality. Every Radar figure in this post is a share of requests observed on Cloudflare's network, not a share of websites. That distinction matters more than any single number here, and it's the reason the fourth section of this post exists.

📊
By the Numbers: Human web traffic is 98.60% encrypted. Bot traffic is 87.80% encrypted. The 10.8-point gap between them is the entire story of what's left unencrypted on the web.

The encryption argument is settled for people. What's left is a residue of machines, misconfigured certificates, and a handful of markets that measure differently. That residue is what this post is about.

The bot gap: why the number everyone quotes is too low

Bar chart of HTTPS share by traffic class: human traffic 98.60%, all traffic 94.59%, bot traffic 87.80%

The 94.59% figure that circulates in most HTTPS adoption write-ups is a blended average, and blending is what hides the finding. Split the traffic by class and two separate populations appear: humans, who are essentially done adopting HTTPS, and bots, who are still catching up.

Traffic class 2025 2026 Year-over-year
Human traffic only 98.03% 98.60% +0.57pt
All traffic (humans + bots) 93.35% 94.59% +1.24pt
Bot traffic only 82.68% 87.80% +5.12pt

Bots moved 5.12 points in twelve months. Humans moved 0.57. If you quote the all-traffic number, you're reporting a weighted average whose movement is driven almost entirely by automated clients: scrapers, monitoring agents, feed fetchers, the AI crawlers now hitting most sites, and old integration scripts nobody has touched in years.

🔑
Key Takeaway: The unencrypted web is mostly machines. Human browsing hit its ceiling; the remaining plain-HTTP requests are overwhelmingly automated clients. See our bot traffic statistics for how large that population has become.

Flip the numbers around and the gap gets easier to see. Instead of asking how much traffic is encrypted, ask how much is still travelling in the clear: 1.40% of human requests, against 12.20% of bot requests. Bots are 8.7 times worse than people.

Bar chart of traffic still unencrypted: bot traffic 12.20%, all traffic 5.41%, human traffic 1.40%, an 8.7x gap

Why do bots lag? Because a bot has no address bar. Nothing warns a script that its connection is plaintext, nothing marks it "Not Secure", and nothing nudges the person who wrote it three years ago. Browsers spent a decade pressuring humans into HTTPS with interstitials and warnings. Nobody applied that pressure to a cron job.

What to do with this insight: if you're reporting on encryption inside your own organisation, filter your logs by client class before you quote a percentage. A blended figure will understate your human-facing security posture and overstate your automation problem at the same time.

Why every HTTPS statistic disagrees: websites vs page loads vs requests

Search "HTTPS adoption rate" and you'll get three answers that don't match. W3Techs reports somewhere around 90%. Google's Transparency Report reports around 99%. Cloudflare Radar says 98.60%. All three are correct. They're measuring different things, and nobody reconciles them.

A tape measure, weighing scale and hourglass each measuring the same glowing padlock and showing different readings

Three instruments, one padlock, three answers.

The denominator is the whole disagreement:

Source What it counts (the denominator) Roughly what it reports
Cloudflare Radar Share of HTTP requests from human traffic seen on Cloudflare's network 98.60% (2026)
Google Transparency Report Share of page loads in Chrome Around 99%
W3Techs Share of websites whose default protocol is HTTPS Around 90%
TechnologyChecker crawl (March 2026) Domains serving a certificate we can attribute to an issuer 12,950,708 of 26,110,812 active domains

Three HTTPS figures side by side: W3Techs 90% of websites, Google 99% of Chrome page loads, Cloudflare Radar 98.60% of human requests

A request is not a page load, and a page load is not a website. Requests are dominated by the sites people actually visit, so a heavily trafficked HTTPS site contributes millions of encrypted requests while a dormant plain-HTTP parked domain contributes almost none. Count websites instead, and every abandoned domain gets one vote, exactly like Google's homepage. The gap between roughly 90% and roughly 99% isn't a contradiction. It's the difference between counting doors and counting people who walk through them.

⚠️
Common Mistake: Quoting a request-share figure as a "percentage of websites using HTTPS". They are different denominators and can differ by ten points. Always name the unit before you name the number.

That last row of the table needs a warning label. 12,950,708 of 26,110,812 is our certificate-authority detection coverage, not an HTTPS adoption rate. Our detection schema has no protocol column, so this crawl cannot produce a "% of websites with HTTPS" figure, and I'm not going to pretend otherwise. What it can produce is something none of the other three sources can.

What our crawl sees that request-level data can't: broken certificates

283,317 domains serving a broken TLS certificate and 1,093,471 preloading HSTS, out of 26,110,812 active domains crawled

Cloudflare Radar can tell you a request was encrypted. It cannot tell you the certificate on the other end expired last April, or was issued for a completely different hostname. HTTPS isn't binary, and the domain-level view is where that shows up.

In our March 2026 crawl of 26,110,812 active domains, 283,317 domains were serving a broken TLS certificate:

Broken-certificate signal Domains (March 2026 crawl)
Invalid certificate dates (expired or not yet valid) 147,170
Common name invalid (issued for the wrong hostname) 141,009
Distinct domains with at least one broken-cert signal 283,317

Those first two rows overlap (a domain can be both expired and misnamed), so they don't add up to the total. 283,317 is the deduplicated count.

🚩
Red Flag: A quarter of a million domains serve HTTPS badly. Every one of them counts as "encrypted" in a request-share statistic and throws a full-page browser warning at real users.

The strictest posture is still a minority

The other thing a domain-level crawl sees is enforcement. Offering HTTPS is one thing; forbidding plain HTTP is another. In the same March 2026 crawl, 1,093,471 domains preload HSTS with includeSubDomains, roughly 1 in 24 active domains, or 4.19%. Those sites are telling the browser, before the first request is ever made, that plain HTTP is not an option for them or any subdomain.

So the picture at domain level and the picture at request level genuinely differ. Traffic is almost entirely encrypted. Strict enforcement is a minority behaviour. Both statements are true at once.

One more row belongs here, because it's the cleanest illustration of the denominator trap. Let's Encrypt accounts for 7,662,374 of the 12,950,708 domains where we can identify a certificate authority, a 59.2% domain-weighted share in March 2026. Count certificates issued instead of domains serving and you get a different number, because Let's Encrypt issues short-lived certificates and renews roughly every 60 days. Same authority, same web, different denominator, different answer. We break that apart in our certificate authority market share analysis.

HTTPS adoption by country in 2026

A long line of padlocks standing at almost exactly the same height, with a single one sunken below the rest

One hundred and twenty-one markets, packed at the ceiling. One isn't.

Cloudflare Radar reported HTTPS share of human traffic for 121 countries in our 2026 window. The median market sits at 98.74%, and 94 of the 121 are at or above 98%. The table below shows the top 25 and the bottom 25; the 71 markets in between are packed into a two-point band.

# Country 2026 2025 Change
1 Turkmenistan 99.78% 99.52% +0.25pt
2 Nigeria 99.74% 99.49% +0.25pt
3 Japan 99.52% 99.12% +0.40pt
4 Poland 99.50% 98.19% +1.31pt
5 South Korea 99.44% 98.55% +0.89pt
6 Thailand 99.40% 99.03% +0.36pt
7 Philippines 99.37% 98.95% +0.42pt
8 Singapore 99.33% 98.57% +0.76pt
9 Slovenia 99.32% 98.65% +0.67pt
10 Indonesia 99.31% 99.12% +0.19pt
11 Denmark 99.30% 98.47% +0.83pt
12 Norway 99.28% 98.42% +0.86pt
13 Greece 99.28% 98.81% +0.46pt
14 Serbia 99.26% 98.71% +0.55pt
15 Finland 99.25% 98.66% +0.60pt
16 Spain 99.25% 98.50% +0.75pt
17 Slovakia 99.24% 98.51% +0.73pt
18 Hungary 99.23% 98.33% +0.90pt
19 Croatia 99.22% 98.71% +0.51pt
20 Latvia 99.21% 98.19% +1.03pt
21 Romania 99.21% 98.44% +0.77pt
22 Australia 99.18% 97.97% +1.21pt
23 France 99.18% 98.53% +0.65pt
24 Bulgaria 99.17% 98.86% +0.31pt
25 Pakistan 99.17% 98.89% +0.28pt
(71 markets between 98.99% and 98.01%)
97 Yemen 97.86% 98.66% -0.80pt
98 Liberia 97.86% 97.88% -0.02pt
99 Cuba 97.79% 97.90% -0.10pt
100 Kuwait 97.79% 96.15% +1.64pt
101 Ethiopia 97.76% 98.46% -0.70pt
102 Benin 97.68% 97.63% +0.06pt
103 Argentina 97.53% 96.78% +0.75pt
104 Syria 97.52% 98.18% -0.66pt
105 Venezuela 97.49% 95.85% +1.64pt
106 Libya 97.40% 98.30% -0.90pt
107 Sudan 97.23% 98.08% -0.86pt
108 Senegal 97.09% 97.56% -0.47pt
109 Canada 96.89% 97.15% -0.26pt
110 Tajikistan 96.72% 98.03% -1.31pt
111 Guinea 96.70% 97.71% -1.01pt
112 Mali 96.65% 97.76% -1.11pt
113 Luxembourg 96.39% 97.72% -1.33pt
114 Gabon 96.01% 97.19% -1.18pt
115 Egypt 95.35% 96.15% -0.80pt
116 Chad 95.35% 97.01% -1.66pt
117 Togo 94.83% 96.04% -1.21pt
118 Niger 92.60% 94.83% -2.22pt
119 Russia 92.33% 95.16% -2.83pt
120 Burkina Faso 91.14% 94.03% -2.89pt
121 China 86.79% 84.45% +2.35pt

Look at the compression. Ninety-four markets are crammed between 98% and 99.78%. The whole distribution, China excluded, spans about eight points. There is no meaningful "HTTPS adoption by country" ranking left to write. The ranking exists, but the differences it describes are mostly noise around a ceiling.

💡
Quick Insight: A country moving from rank 60 to rank 20 gains about half a percentage point. Treat these ranks as ordering, not as magnitude. The gap between most neighbours is smaller than the measurement's practical precision.

The declines are more interesting than the ranks. Fifteen of the bottom 25 lost ground year over year. Several of those markets are ones where traffic is routed through mobile carrier gateways and older middleboxes, and where a change in how traffic reaches Cloudflare's network can move the number more than any change in what site owners did.

Nigeria beats Canada: HTTPS adoption is not a wealth story

Five country pairs compared: Turkmenistan, Nigeria, Pakistan, Ghana and Kyrgyzstan each out-encrypting Luxembourg, Canada, the Netherlands, Switzerland and Ireland

The intuition that rich countries encrypt and poor countries don't is straightforwardly wrong in this data. Nigeria's human traffic is 99.74% HTTPS. Canada's is 96.89%. That's not a rounding error. It's a 2.85-point gap in Nigeria's favour, and it repeats across the table.

Lower-income market HTTPS share High-income market HTTPS share Gap
Turkmenistan 99.78% Luxembourg 96.39% +3.39pt
Nigeria 99.74% Canada 96.89% +2.85pt
Pakistan 99.17% Netherlands 98.52% +0.65pt
Ghana 99.14% Switzerland 98.26% +0.88pt
Kyrgyzstan 99.03% Ireland 98.74% +0.29pt

Why this happens: HTTPS share tracks what people browse on, not what a country earns. Markets that came online late skipped the legacy desktop era entirely and browse on mobile Chrome, now 68.7% of the human web, which forces HTTPS and blocks mixed content by default. Older, wealthier markets carry a long tail of legacy desktop clients, corporate proxies, embedded devices, kiosks, and internal tooling that still speaks plain HTTP. Wealth bought those countries more infrastructure to be stuck with.

🔑
Key Takeaway: Late-mobile markets encrypt more, not less. If you're modelling security posture by country GDP, this data says stop. Device mix predicts HTTPS share far better than income does.

Our device split backs this up directly, and I'll get to it in the plateau section. Mobile browsing is where encryption is nearly total, and the markets highest on this table are the ones where mobile dominates internet usage.

China is the only real outlier

Bar chart showing China at 86.79% against Burkina Faso 91.14%, the 121-market median 98.74% and Turkmenistan 99.78%

Of the 121 markets Cloudflare Radar measured, exactly one falls outside the pack. China's HTTPS share of human traffic is 86.79%, against 91.14% for the next-lowest market. Every other country on the list is above 91%.

China also gained 2.35 points year over year, from 84.45%, one of the larger climbs in the whole table. So the direction of travel is toward the pack, not away from it.

⚠️
Common Mistake: Reading China's 86.79% as an established fact about Chinese web encryption. Cloudflare's network footprint inside China is small, so this figure reflects a narrow and unrepresentative slice of Chinese traffic. It's the one market that looks different in Cloudflare's data. Treat it as a measurement artefact until a second source confirms it.

That caveat isn't a formality. Radar is a view from one network, and the quality of that view varies by country. In markets where Cloudflare terminates a large share of traffic, the sample is broad. In China, it isn't. I'd report the 86.79% and the +2.35pt movement, and I would not build a claim about Chinese security policy on top of either.

Is HTTPS adoption still growing, or has it plateaued?

A person standing still on a flat mountain plateau while a small robot is still climbing the slope far below

People reached the summit. The machines are still climbing.

For humans, HTTPS adoption has plateaued. For bots, it's still climbing. The human figure has 1.40 percentage points of headroom left in total, and it consumed 0.57 of them this year. At that rate the remaining gap is a rounding exercise, not a trend.

The device split shows where the ceiling already is:

Segment 2025 2026 Change
Desktop (human) 96.63% 97.58% +0.95pt
Mobile (human) 99.47% 99.44% -0.03pt
TLS 1.3 63.53% 65.90% +2.37pt
TLS over QUIC 31.98% 31.41% -0.57pt
TLS 1.2 4.43% 2.68% -1.75pt
TLS 1.0 0.05% 0.01% -0.04pt

Mobile is done. It moved backwards by three hundredths of a point, which is what a flat line looks like when you measure it twice. Desktop still has a point of slack, and desktop is exactly where the legacy clients live: the corporate proxies, the old intranet tools, the machines nobody reimages.

The version story underneath is healthier than the adoption story on top. TLS 1.2 halved in a year, down to 2.68% of human traffic, and TLS 1.0 is now statistically absent at 0.01%. Modern TLS (1.3 plus QUIC) carries the overwhelming majority of encrypted human requests. That's a separate question from which HTTP version those requests use, which we cover in our HTTP/2 and HTTP/3 adoption analysis.

What to do with this insight: stop tracking "are we HTTPS yet" as a metric. It's answered. Track certificate health, TLS version floor, and HSTS enforcement instead. Those still have real variance, and one of them (certificates) is quietly broken on hundreds of thousands of domains.

What's actually left: the post-quantum frontier

Bar chart showing 69.94% of browsers support post-quantum key agreement against just 9.37% of origin servers

The next encryption gap isn't HTTPS versus HTTP. It's whether the key exchange inside HTTPS survives a quantum computer, and the answer today is lopsided: browsers are ready, servers aren't.

Post-quantum key agreement 2025 2026
Client / browser support 36.88% 69.94%
Origin / server support (X25519MLKEM768) 9.37%

Client support nearly doubled in a year, from 36.88% to 69.94% of human requests. Origin support sits at 9.37%. Browsers are roughly 7.5 times more quantum-ready than the servers they connect to, which means most post-quantum-capable connections are negotiating down to classical cryptography because the other end can't keep up.

📌
Pro Tip: Your users' browsers have already done the post-quantum work for you. The migration cost sits entirely on your origin servers and your CDN configuration. That's the side worth auditing this year.

A note on how to read the origin figure: it's an overlapped percentage, because a single origin can advertise several key-agreement methods at once. The column doesn't sum to anything meaningful, and 9.37% shouldn't be plotted as a slice of a pie. It's the share of origins that support this specific method, full stop.

This is the same shape of problem as certificate hygiene, and the same shape as DNSSEC adoption: the protocol exists, the clients support it, and deployment on the server side lags by years. Encryption presence is solved. Encryption quality is the open work.

Methodology

Two datasets, two dates. They're kept separate throughout this post and should stay separate anywhere you quote them.

Dataset 1 — Cloudflare Radar (traffic-level). Source: the Cloudflare Radar REST API, endpoint http/summary/http_protocol, pulled on 14 July 2026. Windows: two matched 28-day windows, 16 June to 14 July, for 2025 and 2026, so year-over-year comparisons aren't distorted by seasonal traffic shifts. Scope: 121 countries, plus global splits by bot class, device type, TLS version, and post-quantum key agreement. Normalization: PERCENTAGE; units: requests. Every Radar figure in this post is a share of HTTP requests observed on Cloudflare's network. None of them is a share of websites. The post-quantum origin figure uses OVERLAPPED_PERCENTAGE, because one origin can support several key-agreement methods.

Dataset 2 — TechnologyChecker detection crawl (domain-level). Source: our own technology detection crawl, which completed on 28 March 2026. Every first-party figure in this post is from that March 2026 crawl. Sample: 26,110,812 active domains. Certificate-authority attribution was possible for 12,950,708 of them. Method: we parse the TLS certificate served by each domain, extract issuer and validity, and flag date and hostname mismatches. HSTS preload status with includeSubDomains is recorded per domain.

Limitations, stated plainly:

  1. Cloudflare Radar measures requests that traverse Cloudflare's network. It is a very large sample, not a census of the web, and its coverage varies by country.
  2. China's figure is the clearest example of that limitation. Cloudflare's footprint inside China is small, so 86.79% should be read as a measurement from a narrow sample, not a fact about Chinese encryption.
  3. Our crawl has no protocol or scheme column. It cannot produce a "percentage of websites using HTTPS", and no figure in this post claims to. The 12,950,708 / 26,110,812 ratio is certificate-authority detection coverage only.
  4. The two broken-certificate signals overlap. Use the deduplicated 283,317; never add the two rows.
  5. Radar figures date to July 2026. Crawl figures date to March 2026. They are four months apart and are not interchangeable.

Frequently asked questions

What percentage of web traffic uses HTTPS? 98.60% of human web traffic was HTTPS as of July 2026, per Cloudflare Radar. Including bots, the figure falls to 94.59%, because automated clients are only 87.80% encrypted. Which number is right depends on whether you care about the people using your site or everything that touches it.

Why do published HTTPS adoption rates disagree with each other? Because they use different denominators. Request-share statistics weight by traffic volume, so busy encrypted sites dominate. Page-load statistics count browser navigations. Website-share statistics give every domain one vote, including millions of dormant ones. None of them is wrong. They answer different questions, and the answers differ by several points.

Which country has the highest HTTPS adoption? Turkmenistan, at 99.78% of human requests, with Nigeria second at 99.74%. Japan, Poland, and South Korea follow. Income is a poor predictor of position in this table.

Which country has the lowest HTTPS adoption? China, at 86.79%. It's the only market below 91%, and Cloudflare's limited network presence in China means the figure should be treated with caution rather than quoted as settled fact.

Has HTTPS adoption plateaued? For human traffic, yes. Mobile browsing is effectively at its ceiling and moved -0.03pt this year. Desktop still has about a point of headroom, held back by legacy clients. Bot traffic is the only segment still moving meaningfully.

When did HTTPS become common? HTTPS became the web's default during the second half of the 2010s. Free automated certificate issuance removed the cost barrier, and in 2018 Chrome began labelling every plain-HTTP page as "Not Secure", which turned HTTPS from a nice-to-have into a requirement for anyone who wanted users to trust their site.

Is HTTPS good or bad? HTTPS is good, and at this point it's not really optional: browsers warn on plain HTTP, and search engines and payment providers assume encryption. The honest caveat is that HTTPS proves the connection is encrypted and the certificate matches. It doesn't prove the site is trustworthy. A phishing page can serve a perfectly valid certificate.

Which is not safe browsing? Any page served over plain HTTP is unsafe: anyone on the network path can read or alter it. A page with a broken certificate (expired, or issued for a different hostname) is also unsafe, and in our March 2026 crawl 283,317 domains were in exactly that state.

How do I check the HTTPS status of a website? Load the site and click the padlock (or the "Not Secure" label) in the address bar to inspect the certificate: issuer, hostname, and expiry date. For a fleet of domains rather than one, you need a scanner that checks certificate validity and hostname match, not just whether port 443 answers.

How do I force HTTPS on Android and iPhone? Both mobile browsers support an HTTPS-only mode. In Chrome on Android, it's under Settings → Privacy and security → "Always use secure connections". In Safari on iPhone, HTTPS upgrading is on by default for sites that support it. Given that mobile human traffic is already 99.44% encrypted, you'll rarely notice the difference.

Why should a SaaS company still care about HTTPS in 2026? Because the interesting risk moved from presence to quality. Nearly everyone has HTTPS. Far fewer have certificates that are valid on every subdomain, a TLS version floor that excludes 1.2, HSTS preload enforcement (only 4.19% of active domains), or origins ready for post-quantum key agreement (9.37%). Those are the gaps a security review will actually find.

What is HTTPS traffic? HTTPS traffic is HTTP traffic carried inside a TLS-encrypted connection. The request and response contents, including headers, cookies, and paths, are unreadable to anyone observing the network. Only the destination host and rough traffic timing remain visible.

What this data changes

Three things are worth taking away. Human web traffic is 98.60% encrypted and has stopped moving, so "do we have HTTPS" is no longer a question worth measuring. The bot population is where the remaining plaintext lives, and it's closing that gap nine times faster than humans did. And the numbers you'll read elsewhere disagree with each other for a boring, fixable reason: nobody names the denominator.

Where the real work remains is beneath the padlock: the 283,317 domains serving certificates that are expired or wrong, the 95.8% of domains that don't enforce HTTPS via HSTS preload, and the origin servers that are 7.5 times behind their own users on post-quantum readiness. Presence is solved. Hygiene isn't.

We detect the certificate authority, CDN, and security layer behind every domain in our crawl. If you want to see what's actually deployed across a set of companies, including which of them are serving a certificate that's already broken, that's what TechnologyChecker does.