HTTPS + SSL for SEO

HTTPS encrypts traffic between your visitors and your site. Google treats it as a light ranking signal, browsers flag non-HTTPS as insecure, and users bounce. In 2026, HTTP-only sites are nearly extinct outside legacy systems.

Why HTTPS matters

• Ranking signal. Minor, but present since 2014.
• User trust. Chrome, Safari, Firefox show "Not Secure" warnings on HTTP sites. Visitors bounce before seeing your content.
• Privacy. Without HTTPS, ISPs and network middlemen can read and modify traffic.
• Modern features require it. PWAs, service workers, geolocation, camera access, all require HTTPS.
• Referrer preservation. HTTPS→HTTPS sends referrer; HTTPS→HTTP strips it. You want that analytics data.

How to get HTTPS

Free via Let's Encrypt. Most modern hosts (Cloudflare, Netlify, Vercel, AWS) ship HTTPS by default. For legacy hosts without built-in support, use Certbot to generate free certificates.

The HTTP → HTTPS migration

1. Install certificate on the server
2. Test HTTPS works correctly (no mixed content warnings)
3. 301 redirect all HTTP URLs to HTTPS at the server level
4. Update internal links to HTTPS
5. Update canonical tags to HTTPS
6. Update sitemap URLs to HTTPS
7. Add new HTTPS property in Google Search Console (GSC treats HTTP and HTTPS as different properties)
8. Submit HTTPS sitemap to GSC
9. Update robots.txt (if hardcoded to HTTP)
10. Monitor rankings for a few weeks, minor fluctuations are normal

Mixed content

When an HTTPS page loads resources (images, scripts) over HTTP, browsers block or warn about "mixed content." Fix by updating all asset URLs to HTTPS or to protocol-relative URLs (//example.com/image.jpg).

HSTS (HTTP Strict Transport Security)

An HTTP header that tells browsers to always use HTTPS for your domain, even if a user types http://. Prevents downgrade attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Set it once HTTPS is stable. The max-age is how long browsers remember (1 year here).

Certificate types

• Domain Validation (DV), proves domain ownership. Free via Let's Encrypt. Fine for most sites.
• Organization Validation (OV), validates the organization. Shows the org name in the certificate. Paid.
• Extended Validation (EV), more rigorous validation. Used to show a green bar in browsers; no longer does since 2019. Paid, rarely worth it now.

Renewal

Let's Encrypt certificates expire every 90 days. Automate renewal (Certbot, most hosting providers do this). An expired cert = site instantly flagged as insecure.

Common mistakes

• Forgetting to migrate subdomains (blog.example.com still on HTTP)
• Mixed content from old embedded images
• Internal links still pointing to HTTP
• Not updating external backlinks to point to HTTPS (not always possible, but 301s handle it)
• Letting cert expire

SSL Labs test

ssllabs.com/ssltest, grades your HTTPS setup. Aim for A or A+. A "B" grade usually means deprecated protocols or ciphers enabled.