What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of user data between the user’s computer and the site. Users expect a secure and private online experience when using a website. You should adopt HTTPS to protect the user’s connection to your site, regardless of the site’s content.

Since 2014, Google has prioritized websites with good domain security. Good domain security can be seen by the presence of an SSL (HTTPS) certificate on the domain.

Furthermore, since January 2017, Google Chrome has implemented a policy marking websites that only use HTTP as insecure for submitting private information such as email addresses and accounts. If your website domain still uses HTTP, now is the perfect time to switch to HTTPS.

From an SEO perspective, search engines, especially Google, now prioritize websites using HTTPS to be displayed in search results.

Data sent using HTTPS is secured via the Transport Layer Security (TLS) protocol, which provides three key layers of protection:

1. Encryption Encrypting data exchange to keep it safe from eavesdroppers. This means that while a user is browsing your website, no one can “listen” to their conversations, track their activity across pages, or steal their information.

2. Data Integrity Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.

3. Authentication Proves that your users are communicating with the intended website. This protects against man-in-the-middle (MITM) attacks and builds user trust, which can provide other benefits for your business.

Migrating from HTTP to HTTPS

If you migrate your site from HTTP to HTTPS, Google treats this process as a site move with a URL change. This process may temporarily affect some of your traffic.

Add the new HTTPS property to Search Console: Search Console treats HTTP and HTTPS separately; data is not shared between different properties in Search Console.

Best Practices When Implementing HTTPS

Verify that HTTPS Pages Can Be Crawled and Indexed by Google

• Do not block HTTPS pages with a robots.txt file.
• Do not include noindex meta tags on your HTTPS pages.
• Use the URL Inspection tool to test if Googlebot can access your pages.

Use Server-Side Redirects

Redirect users and search engines to the HTTPS page or resource with server-side HTTP 301 redirects.

Support HSTS

It is recommended that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request HTTPS pages automatically, even if the user enters “http” in the browser’s address bar. HSTS also tells Google to serve the secure URL in search results. All of these actions reduce the risk of serving insecure content to users.

To support HSTS, use a web server that supports HSTS and can enable the feature.

While more secure, HSTS makes your rollback strategy more complex. It’s best to enable HSTS as follows:

1. Launch HTTPS pages without HSTS first.
2. Start sending HSTS headers with a short maximum age. Monitor traffic from both users and other clients, as well as dependent performance like ads.
3. Gradually increase the maximum age of HSTS.
4. If HSTS has no negative impact on users and search engines, you can request that your site be added to the HSTS preload list used by most browsers.

Use Strong Security Certificates

You must obtain a security certificate as part of enabling HTTPS for your site. This certificate is issued by a Certificate Authority (CA), which will take steps to verify that your website address truly belongs to your organization, protecting customers from man-in-the-middle attacks. When setting up the certificate, ensure high-level security is applied by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048-bit. When choosing a site certificate, consider the following:

Get your certificate from a reliable CA that offers technical support.

Determine the type of certificate you need:

• A single certificate for a single secure origin (e.g., www.example.com).
• A multi-domain certificate for several known secure origins (e.g., www.example.com, cdn.example.com, example.co.uk).
• A wildcard certificate for secure origins with many dynamic subdomains (e.g., a.example.com, b.example.com).