With Chrome version 62 arriving next month Google will begin making good on the promise of warning users when they land on non-secure (non-SSL, non-TLS) sites. This will be subtle at first with a light gray warning on pages that contain any input forms. This warning message will get progressively prevalent and prominent with every new version of Chrome and one must imagine other browsers will follow suit.
Another angle where HTTPS is being pushed is with AMP pages. Secure AMP pages are widely preferred by Google over the non-secure ones. In fact it seems non-secure AMP pages are not even picked up by Google News. That should give content and news sites a serious dose of inducement to go secure if they'd want better representation in the mobile world.
This blog has already covered available options to make a site secure, but once secure what can sites do to effectively promote their new secure status to search engines and by extension to their audience?
Here is checklist of steps to take once a site is migrated to the secure HTTPS/SSL.
- Test the site with a reputable SSL/TLS utility such as https://www.ssllabs.com/ssltest/ and aim for a high grade.Make sure all pages get a green padlock. For that, all page elements' URLs must be relative or start with https:// or //. Either manually update them, use plugins for CMS's like WordPress, or use mods for servers, for example mod_substitute for apache.
- Use header Content-Security-Policy: upgrade-insecure-requests or its meta tag equivalent. Not all browsers support this CSP header but majority do. This header instructs the browser to upgrade all HTTP elements on the page to HTTPS equivalents.
- Use canonical headers or link tags to point to the HTTPS versions of your pages. ala, https://support.google.com/webmasters/answer/139066. The canonical tag is used to point search engines to the most desirable and valid version of a page.
- Redirect all your HTTP pages to their HTTPS versions. What you want here is a hard or permanent redirect, also known as 301 redirect. This is best accomplished as a header response code and for that access to web server configuration is needed. There are alternative redirection methods such as using the refresh meta tag or the javascript location object, but server response header works best.
- Use Google Search Console (previously known as Webmaster Tools) to advise Google of your site and to some extent instruct Google on crawling and indexing your pages via Sitemaps. If you already have the non-secure version of your site in Search Console that’s not enough. You must now include the HTTPS version of your site. Search Console is also a great tool for monitoring how Google interacts with your site. It even sends emails if it runs into any issues such as inability to crawl your side or finding malware.
- If you use freebie certs, use a reputable certificate authority. For example StartSSL certificates are no longer trusted by some browsers, but Let’s Encrypt is fast gaining momentum. There are drawbacks such as lack of wildcard certificates or shorter validity durations so it takes a bit more management effort in return for no cost.
- Utilize HTTP Strict Transport Security (HSTS) policy for your site. This policy instructs browsers to only interact with your site via HTTPS for a specified duration of time. This is strictly a response header field so access to the server configuration is necessary. It is doubtful that HSTS will improve search engine rankings, but it certainly doesn’t hurt and if a site has migrated to HTTPS, HSTS would be a wise security policy.
Like it or not, migrating to HTTPS is no longer a choice, unless one doesn’t mind being left behind. The prudent way of dealing with it is mapping out an HTTPS migration plan and once secure, taking steps to promote the new secure site.
Give a few Sats