Where might you have seen our work?Small places create combinations, but crosses that occur cannot provide many combinations. So be careful in making justifications, especially SEO.
Effectives Strategies to Secure Your HTTPS
Last updated: Aug 05, 2022
Disclaimer: Our team is constantly compiling and adding new terms that are known throughout the SEO community and Google terminology. You may be sent through SEO Terms in cmlabs.co from third parties or links. Such external links are not investigated, or checked for accuracy and reliability by us. We do not assume responsibility for the accuracy or reliability of any information offered by third-party websites.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of user data between the user's computer and the site.
Users want a secure and private online experience when exploring the site. We recommend that you use HTTPS to protect a user's connection to a site, regardless of the content of the site.
Data sent using HTTPS is secured via the Transport Layer Security (TLS) protocol, which provides three key layers of protection:
- Encryption—encrypts exchange data to keep data safe from eavesdroppers. It means that while a user is browsing a website, no one can “eavesdrop” on conversations, track activity across different pages, or steal information.
- Data integrity—data cannot be altered or tampered with during the transfer process, intentionally or unintentionally.
- Authentication—proves that your users are communicating with the intended website. It can protect them against man-in-the-middle (MITM) attacks and build user trust, which can provide other benefits for your business.
HTTPS Implementation Best Practices
Use a strong security certificate
You must obtain a security certificate as part of enabling HTTPS for your site. This certificate is issued by a certificate authority (CA), which will take some steps to verify that your website address really belongs to your organization, thereby protecting customers from man-in-the-middle attacks. While setting up the certificate, ensure that a high level of security is applied by selecting a 2048 bit key. If you already have a certificate with a weaker key (1024 bit), upgrade it to 2048 bit. Keep the following in mind when selecting a site certificate:
1. Get a certificate from a CA that you can rely on while offering technical support.
2. Determine the type of certificate you need:
- a. One certificate for single secure origin (eg www.example.com)
- b. Multiple domain certificates for multiple single secure origins are recognized (eg www.example.com, cdn.example.com, example.co.uk).
- c. Wildcard certificate for single secure origin with many dynamic subdomains (eg a.example.com, b.example.com).
Use server side redirects
Redirect users and search engines to HTTPS pages or resources with server-side HTTP 301 redirects.
Verify HTTPS pages so they can be crawled and indexed by Google
- Do not block HTTPS pages with a robots.txt file.
- Do not include a no index meta tag on your HTTPS pages.
- Use the URL Inspection tool to test if Googlebot can access your page.
It is recommended that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request an HTTPS page automatically, even if the user enters HTTP in the browser's location field. HSTS also tells Google to serve secure URLs in search results. All of these actions reduce the risk of serving unsafe content to users.
To support HSTS, use a web server that supports HSTS and can enable the function.
Although it is more secure, HSTS makes your rollback strategy even more complicated. We recommend enabling HSTS in the following way:
- Launch the HTTPS page without HSTS first.
- Start sending HSTS headers with a short maximum lifespan. Monitor traffic, both from users and other clients, as well as dependent performance, such as ads.
- Increase the maximum mass of HSTS little by little.
- If HSTS is not negatively impacting users and search engines, you can request that your site be added to the HSTS preload list used by most browsers.
Consider using HSTS preload.
If you enable HSTS, you can optionally support HSTS preloading for extra security and enhanced performance. To enable preloading, you must go to hstspreload.org and follow the submission requirements for the site.
Avoid these common mistakes.
During the process of securing your site with TLS, avoid the following mistakes:
|Expired Certificate||Make sure your certificate is up to date.|
|Certificate registered for the wrong site name||Make sure you have obtained certificates for all hostnames served by your site. For example, if your certificate includes only www.example.com, visitors who load the site only with example.com (without the "www." prefix) will be blocked for an incorrect certificate name error.|
|Server Name Indication (SNI) support is missing||Make sure your website supports SNI and your audience is using a supported browser. Although SNI is supported by all modern browsers, you need a dedicated IP.|
|Crawling issue||Do not block HTTPS sites from being crawled by using robots.txt.|
|Indexing issue||Allow page indexing with search engines. Avoid the no index meta tag.|
|Old protocol versions|
Old protocol versions are particularly vulnerable; make sure you have the latest and greatest version of the TLS collection and apply the latest protocol version.
Open in Google Translate
|The content difference on HTTP and HTTPS||Make sure the content on your HTTP and HTTPS sites is the same.|
|HTTP status code error in HTTPS||Check that your website returns the correct HTTP status code. For example 200 OK for accessible pages, or 404 or 410 for non-existent pages.|
Migrating from HTTP to HTTPS
If you're migrating a site from HTTP to HTTPS, Google treats this process only as a site move with a URL change. This process may temporarily affect some of your traffic volumes. See the site movement summary page to learn more.
Add new HTTPS property to Search Console: Search Console treats HTTP and HTTPS differently, the data is not shared with other properties in Search Console.
WDYT, you like my article?