The primary source for SEO guidance with clear and expert-level insights.

Effectives Strategies to Secure Your HTTPS

Last updated: Aug 05, 2022

Disclaimer: Our team is constantly compiling and adding new terms that are known throughout the SEO community and Google terminology. You may be sent through SEO Terms in cmlabs.co from third parties or links. Such external links are not investigated, or checked for accuracy and reliability by us. We do not assume responsibility for the accuracy or reliability of any information offered by third-party websites.

The eventualities are an inevitability that drives every business player to prepare scenarios and adapt. Watch the Anti-Trivial podcast featuring Mas Rochman, Bro Jimmy, and Pak Agus; a combination of a business practitioner, investor, and company leader, discussing how to enhance the foresight of business leaders in welcoming 2025. Don’t miss this special year-end edition of cmlabs Class, Episode 24 with title "New vs Conventional Search Engine. Prepare for the Eventualities!"

See Event Details

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of user data between the user's computer and the site.

Users want a secure and private online experience when exploring the site. We recommend that you use HTTPS to protect a user's connection to a site, regardless of the content of the site.

Data sent using HTTPS is secured via the Transport Layer Security (TLS) protocol, which provides three key layers of protection:

Encryption—encrypts exchange data to keep data safe from eavesdroppers. It means that while a user is browsing a website, no one can “eavesdrop” on conversations, track activity across different pages, or steal information.
Data integrity—data cannot be altered or tampered with during the transfer process, intentionally or unintentionally.
Authentication—proves that your users are communicating with the intended website. It can protect them against man-in-the-middle (MITM) attacks and build user trust, which can provide other benefits for your business.

HTTPS Implementation Best Practices

Use a strong security certificate

You must obtain a security certificate as part of enabling HTTPS for your site. This certificate is issued by a certificate authority (CA), which will take some steps to verify that your website address really belongs to your organization, thereby protecting customers from man-in-the-middle attacks. While setting up the certificate, ensure that a high level of security is applied by selecting a 2048 bit key. If you already have a certificate with a weaker key (1024 bit), upgrade it to 2048 bit. Keep the following in mind when selecting a site certificate:

1. Get a certificate from a CA that you can rely on while offering technical support.

2. Determine the type of certificate you need:

a. One certificate for single secure origin (eg www.example.com)
b. Multiple domain certificates for multiple single secure origins are recognized (eg www.example.com, cdn.example.com, example.co.uk).
c. Wildcard certificate for single secure origin with many dynamic subdomains (eg a.example.com, b.example.com).

Use server side redirects

Redirect users and search engines to HTTPS pages or resources with server-side HTTP 301 redirects.

HTTP Code 301 Redirect — Figure 2: Image of a traffic sign containing text as an illustration of the HTTP 301 - Redirect status code. This status code is used when you want to redirect the user from the original destination page to the page that should be addressed. Too many redirects can degrade the user experience on the page. Even search engines will only index pages with up to five redirects. If more than that, the risk of your page failing to be indexed will be higher.

Verify HTTPS pages so they can be crawled and indexed by Google

Do not block HTTPS pages with a robots.txt file.
Do not include a no index meta tag on your HTTPS pages.
Use the URL Inspection tool to test if Googlebot can access your page.

Support HSTS

It is recommended that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request an HTTPS page automatically, even if the user enters HTTP in the browser's location field. HSTS also tells Google to serve secure URLs in search results. All of these actions reduce the risk of serving unsafe content to users.

To support HSTS, use a web server that supports HSTS and can enable the function.

Although it is more secure, HSTS makes your rollback strategy even more complicated. We recommend enabling HSTS in the following way:

Launch the HTTPS page without HSTS first.
Start sending HSTS headers with a short maximum lifespan. Monitor traffic, both from users and other clients, as well as dependent performance, such as ads.
Increase the maximum mass of HSTS little by little.
If HSTS is not negatively impacting users and search engines, you can request that your site be added to the HSTS preload list used by most browsers.

Consider using HSTS preload.
If you enable HSTS, you can optionally support HSTS preloading for extra security and enhanced performance. To enable preloading, you must go to hstspreload.org and follow the submission requirements for the site.

Avoid these common mistakes.

During the process of securing your site with TLS, avoid the following mistakes:

Issue	Action
Expired Certificate	Make sure your certificate is up to date.
Certificate registered for the wrong site name	Make sure you have obtained certificates for all hostnames served by your site. For example, if your certificate includes only www.example.com, visitors who load the site only with example.com (without the "www." prefix) will be blocked for an incorrect certificate name error.
Server Name Indication (SNI) support is missing	Make sure your website supports SNI and your audience is using a supported browser. Although SNI is supported by all modern browsers, you need a dedicated IP.
Crawling issue	Do not block HTTPS sites from being crawled by using robots.txt.
Indexing issue	Allow page indexing with search engines. Avoid the no index meta tag.
Old protocol versions	Old protocol versions are particularly vulnerable; make sure you have the latest and greatest version of the TLS collection and apply the latest protocol version. Open in Google Translate
The content difference on HTTP and HTTPS	Make sure the content on your HTTP and HTTPS sites is the same.
HTTP status code error in HTTPS	Check that your website returns the correct HTTP status code. For example 200 OK for accessible pages, or 404 or 410 for non-existent pages.

Migrating from HTTP to HTTPS

If you're migrating a site from HTTP to HTTPS, Google treats this process only as a site move with a URL change. This process may temporarily affect some of your traffic volumes. See the site movement summary page to learn more.

Add new HTTPS property to Search Console: Search Console treats HTTP and HTTPS differently, the data is not shared with other properties in Search Console.

cmlabs

WDYT, you like my article?