We use cookies

This site uses cookies from cmlabs to deliver and enhance the quality of its services and to analyze traffic..

The primary source for SEO guidance with clear and expert-level insights.

Effectives Strategies to Secure Your HTTPS

Last updated: Aug 05, 2022

Effectives Strategies to Secure Your HTTPS
Cover image: An illustration of HTTPS security that really needs to hold. We have summarized the effective ways to secure your HTTPS here

Disclaimer: Our team is constantly compiling and adding new terms that are known throughout the SEO community and Google terminology. You may be sent through SEO Terms in cmlabs.co from third parties or links. Such external links are not investigated, or checked for accuracy and reliability by us. We do not assume responsibility for the accuracy or reliability of any information offered by third-party websites.

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of user data between the user's computer and the site.

Users want a secure and private online experience when exploring the site. We recommend that you use HTTPS to protect a user's connection to a site, regardless of the content of the site.

Data sent using HTTPS is secured via the Transport Layer Security (TLS) protocol, which provides three key layers of protection:

  • Encryption—encrypts exchange data to keep data safe from eavesdroppers. It means that while a user is browsing a website, no one can “eavesdrop” on conversations, track activity across different pages, or steal information.
  • Data integrity—data cannot be altered or tampered with during the transfer process, intentionally or unintentionally.
  • Authentication—proves that your users are communicating with the intended website. It can protect them against man-in-the-middle (MITM) attacks and build user trust, which can provide other benefits for your business.


HTTPS Implementation Best Practices

Use a strong security certificate

You must obtain a security certificate as part of enabling HTTPS for your site. This certificate is issued by a certificate authority (CA), which will take some steps to verify that your website address really belongs to your organization, thereby protecting customers from man-in-the-middle attacks. While setting up the certificate, ensure that a high level of security is applied by selecting a 2048 bit key. If you already have a certificate with a weaker key (1024 bit), upgrade it to 2048 bit. Keep the following in mind when selecting a site certificate:

1. Get a certificate from a CA that you can rely on while offering technical support.

2. Determine the type of certificate you need:

  • a. One certificate for single secure origin (eg www.example.com)
  • b. Multiple domain certificates for multiple single secure origins are recognized (eg www.example.com, cdn.example.com, example.co.uk).
  • c. Wildcard certificate for single secure origin with many dynamic subdomains (eg a.example.com, b.example.com).

Use server side redirects

Redirect users and search engines to HTTPS pages or resources with server-side HTTP 301 redirects.

HTTP Code 301 Redirect
Figure 2: Image of a traffic sign containing text as an illustration of the HTTP 301 - Redirect status code. This status code is used when you want to redirect the user from the original destination page to the page that should be addressed. Too many redirects can degrade the user experience on the page. Even search engines will only index pages with up to five redirects. If more than that, the risk of your page failing to be indexed will be higher.

Verify HTTPS pages so they can be crawled and indexed by Google

  • Do not block HTTPS pages with a robots.txt file.
  • Do not include a no index meta tag on your HTTPS pages.
  • Use the URL Inspection tool to test if Googlebot can access your page.


Support HSTS

It is recommended that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request an HTTPS page automatically, even if the user enters HTTP in the browser's location field. HSTS also tells Google to serve secure URLs in search results. All of these actions reduce the risk of serving unsafe content to users.

To support HSTS, use a web server that supports HSTS and can enable the function.

Although it is more secure, HSTS makes your rollback strategy even more complicated. We recommend enabling HSTS in the following way:

  • Launch the HTTPS page without HSTS first.
  • Start sending HSTS headers with a short maximum lifespan. Monitor traffic, both from users and other clients, as well as dependent performance, such as ads.
  • Increase the maximum mass of HSTS little by little.
  • If HSTS is not negatively impacting users and search engines, you can request that your site be added to the HSTS preload list used by most browsers.

Consider using HSTS preload.
If you enable HSTS, you can optionally support HSTS preloading for extra security and enhanced performance. To enable preloading, you must go to hstspreload.org and follow the submission requirements for the site.

Avoid these common mistakes.

During the process of securing your site with TLS, avoid the following mistakes:

Issue

Action

Expired CertificateMake sure your certificate is up to date.
Certificate registered for the wrong site name Make sure you have obtained certificates for all hostnames served by your site. For example, if your certificate includes only www.example.com, visitors who load the site only with example.com (without the "www." prefix) will be blocked for an incorrect certificate name error.
Server Name Indication (SNI) support is missingMake sure your website supports SNI and your audience is using a supported browser. Although SNI is supported by all modern browsers, you need a dedicated IP.
Crawling issueDo not block HTTPS sites from being crawled by using robots.txt.
Indexing issueAllow page indexing with search engines. Avoid the no index meta tag.
Old protocol versions

Old protocol versions are particularly vulnerable; make sure you have the latest and greatest version of the TLS collection and apply the latest protocol version.

Open in Google Translate

The content difference on HTTP and HTTPSMake sure the content on your HTTP and HTTPS sites is the same.
HTTP status code error in HTTPSCheck that your website returns the correct HTTP status code. For example 200 OK for accessible pages, or 404 or 410 for non-existent pages.


Migrating from HTTP to HTTPS

If you're migrating a site from HTTP to HTTPS, Google treats this process only as a site move with a URL change. This process may temporarily affect some of your traffic volumes. See the site movement summary page to learn more.

Add new HTTPS property to Search Console: Search Console treats HTTP and HTTPS differently, the data is not shared with other properties in Search Console.

cmlabs

cmlabs

WDYT, you like my article?

Streamline your analysis with the SEO Tools installed directly in your browser. It's time to become a true SEO expert.

Free on all Chromium-based web browsers

Install it on your browser now? Explore Now cmlabs chrome extension pattern cmlabs chrome extension pattern

Streamline your analysis with the SEO Tools installed directly in your browser. It's time to become a true SEO expert.

Free on all Chromium-based web browsers

Install it on your browser now? Explore Now cmlabs chrome extension pattern cmlabs chrome extension pattern

Need help?

Tell us your SEO needs, our marketing team will help you find the best solution

Here is the officially recognized list of our team members. Please caution against scam activities and irresponsible individuals who falsely claim affiliation with PT CMLABS INDONESIA DIGITAL (cmlabs). Read more
Marketing Teams

Agita

Marketing

Ask Me
Marketing Teams

Destri

Marketing

Ask Me
Marketing Teams

Thalia

Marketing

Ask Me
Marketing Teams

Irsa

Marketing

Ask Me
Marketing Teams

Yuliana

Business & Partnership

Ask Me
Marketing Teams

Rochman

Product & Dev

Ask Me
Marketing Teams

Said

Career & Internship

Ask Me

Interested in joining cmlabs? Boost your chances of becoming an SEO Specialist with our new program, cmlabs Academy. it's free!

Check

New! cmlabs Added 2 Tools for Chrome Extensions! What Are They?

Check

There is no current notification..