HTTPS encrypts traffic between your visitors and your site. In 2026, non-HTTPS sites are nearly extinct outside legacy systems. Google treats HTTPS as a ranking signal (minor but real), browsers flag non-HTTPS sites as "Not Secure," and users bounce before seeing your content. This page walks through why HTTPS matters, how to migrate if you haven't, and the common mistakes that leave the migration half-finished.
Free via Let's Encrypt. Most modern hosts (Cloudflare, Netlify, Vercel, AWS) ship HTTPS by default. For legacy hosts, use Certbot to generate free certificates.
After migration, expect minor ranking fluctuation for a few weeks while Google re-crawls and re-indexes. A well-executed migration generally fully recovers within 6 weeks.
When an HTTPS page loads resources (images, scripts, fonts) over HTTP, browsers block or warn about "mixed content." Fix by updating all asset URLs to HTTPS or to protocol-relative URLs (//example.com/image.jpg).
An HTTP header that tells browsers to always use HTTPS for your domain, even if a user types http:// manually. Prevents downgrade attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomainsSet it once HTTPS is stable. The max-age is how long browsers remember (1 year here).
Let's Encrypt certificates expire every 90 days. Automate renewal (Certbot, most hosting providers do this automatically). An expired certificate = site instantly flagged as insecure. Set up monitoring.
Run your domain through ssllabs.com/ssltest. You should get an A or A+ grade. Anything lower usually means deprecated protocols or ciphers are still enabled. Fix those in your server config.
Open your site in a fresh browser. Check the lock icon in the address bar. Is it locked? Good. Then open Chrome DevTools, Console tab, reload the page. Any "mixed content" warnings? Fix those now. Then run the SSL Labs test for a grade. If you're under A, that's this week's work.
Next: site architecture, how the structure of your URL tree directly affects rankings.