Websites today should run on Hypertext Transfer Protocol Secure (HTTPS) to be considered trustworthy – both by a user and from a technical search engine optimization (SEO) perspective.
All websites used to run on HTTP and transferred data in plain text. Today, data encryption is increasingly the standard as 70 percent of users visit HTTPS-enabled sites.
As far as Google is concerned, HTTPS vs HTTP is no question: the search engine prefers your website run on HTTPS, especially if you process sensitive information.
Google is emphasizing the importance of HTTPS in the Page Experience Update, requiring SSL (Secure Sockets Layer – a component of HTTPS) indirectly by rewarding HTTPS sites with better Search rankings. Google also displays icons or full-page warnings for non secure websites. However, this leaves many website owners and online business owners with questions like:
- What is HTTPS protocol?
- What does HTTPS stand for?
- How does HTTPS work?
- What is the Content Security Policy (CSP)?
- What is mixed content?
- How to fix mixed content issue
- How to set up HTTPS
Master how to create a secure website to rank better and avoid losing site visitors to Google security warnings – using the HTTPS protocol is precisely how to create a secure website.
Here you will find the answers you need about this security protocol. We cover what is HTTPS protocol, the importance of HTTPS, HTTPS vs HTTP and how HTTPS works. We also provide expert insight on website encryption, how to switch from HTTP to HTTPS, and what does HTTPS mean for website owners who are optimizing for the Page Experience Update.
What Is HTTPS?
HTTPS provides critical security and data integrity for a website and its users’ personal information. Encryption technology makes your data unreadable to third parties as it travels the web. But what is HTTPS and what does HTTPS stand for?
Here is an overview of HTTPS basics and terms that help define what is HTTPS:
Hypertext Transfer Protocol (HTTP)
Hypertext Transfer Protocol (HTTP) is a communication protocol responsible for the encoding or transfer of data on the web. HTTPS stands for Hypertext Transfer Protocol Secure and it is the encrypted version of HTTP.
SSL and TLS (Transport Layer Security)
To create a secure connection between browsers and web servers, SSL, or TLS, is a protocol that works on top of HTTP. SSL is an outdated version of Transport Layer Security but it’s still the commonly used term. Some mistakenly query the difference between SSL and HTTPS. Questioning the difference between SSL and HTTPS is erroneous because they work together.
Certificate Authority
A certificate authority grants a website an SSL certificate to make encrypted data exchange possible. How HTTPS works is that if a browser cannot detect and authenticate an SSL certificate on your site, it won’t be considered secure and users will receive an alert. Does SSL certificate help SEO? Yes. Any technical SEO expert would warn that Google security alerts can make users leave your site without even seeing it and hurt your rankings significantly.
HTTP vs HTTPS
Hypertext Transfer Protocol (HTTP) alone is not secure. It needs SSL or TLS to offer data encryption and enable HTTPS. Without SSL or TLS, HTTP is transmitting data in plain text, making it prone to malicious attacks. If you’re deciding between HTTP vs HTTPS from an SEO perspective, go for HTTPS.
What does HTTPS do?
You aren’t a top-tier website if you don’t run on HTTPS. The importance of HTTPS lies in being able to facilitate secure communications for your users and identify secure websites for the safety of everyone online.
Why HTTPS Matters to Google Page Experience
Ranking Factors
Ranking Factors
The Page Experience Update emphasizes having an HTTPS connection as a critical ranking signal, along with Core Web Vitals, mobile friendly, and no intrusive interstitials.
The Page Experience report in Google Search Console provides a snapshot of how you fare for all Page Experience signals. You will see a green checkmark for HTTPS if your site has met the minimum percentage of HTTPS URLs required to consider your site’s HTTPS status. If your site has a relatively high percentage of HTTP URLs, you will see a “Failing” warning.
A word of caution: The Page Experience report will only speak to the general HTTPS status of your site because it checks HTTPS on a site level. Google Search will still evaluate your HTTPS status on the URL level. Additionally, the Page Experience report features a percentage of mobile URLs considered to have a good page experience but will be inaccurate if your site has HTTPS issues.
Google puts the user first by providing a security status for every website. By pushing for HTTPS and encryption, the user is protected from non secure websites and can browse authenticated sites with less hesitation.
Source: Google Chrome Help
Going back to the question, “Does SSL certificate help SEO?” – if your users see “not secure” or “dangerous” warnings, they will likely exit the page and your website traffic could drop.
What does HTTPS mean for Page Experience?
- Using the HTTPS protocol enhances user experience by featuring a padlock icon in the search bar to represent site security.
- Google requires SSL by favoring HTTPS vs HTTP in its Search rankings.
- Non secure websites not using an HTTPS connection are at a greater disadvantage with the Page Experience Update rolling out.
How to Improve HTTPS
Website encryption makes personal information and data transfer more secure – the benchmark of site security today. The need for HTTPS is undeniable and, fortunately, you don’t need to be a technical SEO expert to improve your HTTPS site status.
The job is not done after you migrate to HTTPS. Improving HTTPS is a process that involves an in-depth understanding of 1) how does HTTPS work? and 2) how can common HTTPS issues be fixed?
Study these HTTPS pitfalls to know how to avoid them:
What is mixed content?
The mixed content error appears when an HTTPS site requests non-secure resources such as images, iframes, JS, CSS link, audio and forms. For instance, looking at a WordPress site running on HTTPS, an example of WordPress mixed content is an image being requested from an HTTP server. What does HTTPS do in this case? A WordPress mixed content error appears in Chrome DevTools Console tab flagging the specific non-secure resource request, making it easy to identify and fix the source of the error.
Man in the middle attacks (MITM)
Man in the middle attacks (MITM) happen when an outside entity (attacker) intercepts a private communication between two systems. An MITM attacker will find vulnerabilities in your site to access and modify the data exchange. Avoiding man in the middle attacks involves getting an SSL/TLS certificate, ensuring your site is fully protected with HTTPS (no mixed content) and running HTTP Strict Transport Security (HSTS) over HTTPS to tell browsers a site should only be accessed with HTTPS.
Missing padlock icon
Mixed content is one of the most common reasons your site might be missing the padlock icon even after you installed an SSL certificate. But there could be other pre-existing HTTPS issues that the Google URL Inspection Tool could help diagnose.
How to Optimize for HTTPS
To recap, how HTTPS works is it enables website encryption and requires certificate authentication to protect data exchanges between browsers and servers.
How to set up HTTPS like a technical SEO expert:
-
Migrate Your Site to HTTPS
Migrating to the HTTPS protocol is, for the most part, how to create a secure website. After installing an SSL certificate, all HTTP URLs should be redirected to HTTPS automatically. It usually involves adding a rule on the file server configuration or using a “Force HTTPS” button.
This is done on the server-level, and the particular execution varies from website to website, so it’s best to consult technical SEO services and refer to official documentation.
-
Support HTTP Strict Transport Security (HSTS)
Strict Transport Security is an HTTP response header that automatically converts all HTTP requests to access your site into HTTPS requests, preventing browsers from loading your site with HTTP.
Find a web server that supports HSTS, then use the Strict Transport Security response header according to what works best for your site:
-
Content Security Policy (CSP)
Content Security Policy (CSP) is an additional layer of security designed to give website administrators control over what is allowed to load for a given page (the policy you specify). The most important application of this is specifying that all content must be loaded using HTTPS using the Content Security Policy HTTP header:
Source: MDN Web Docs
-
Fix the Mixed Content Error
Spotting the mixed content error using a mixed content checker, inspecting the mixed content warning using Chrome DevTools and finding underlying issues using a URL inspection tool are how to fix mixed content issue. You need to ensure all content is served over HTTPS to remove the mixed content error.
Source: Chrome DevTools
-
Audit Your Site Continuously
How to switch from HTTP to HTTPS successfully remains a valid question after migration. Google sees an HTTPS site as a different site, so migration issues can lead to being flagged for duplicate content. A technical SEO agency would be able to help you monitor your HTTPS status, along with other issues the Google URL Inspection Tool can find.
Make sure the padlock icon is rendering within the search navigation bar. The URL Inspection Tool and a third-party SSL checker can help to confirm the server information and SSL certificate expiry.
Source: Google Search Console
Expert advice from technical SEO professionals on HTTPS migration:
- Have an active SSL certificate from a trusted Certificate Authority.
- Make sure the lock icon always renders within the search bar.
- Access the site server and back up all databases and files.
- HTTPS protocol slows down page load time, so make sure all other elements are optimized to prioritize site speed – files, image compression and site caching.
- Review that all indexed pages are displaying the HTTPS protocol within the Search results.
- Make sure Google can see your HTTPS pages – do not include noindex tags and do not block your HTTPS pages by robots.txt files.
- Create a new Google Search Console version for your HTTPS site (add the new HTTPS property) to fetch the crawler and submit new sitemaps to Google.
Now that you know all about HTTP vs HTTPS SEO, addressing the mixed content warning, the Google URL Inspection Tool and how to set up HTTPS, make sure you improve your HTTPS site status for the Page Experience Update.
Our technical SEO agency has been working for months to improve our Page Experience ranking signals. Call our technical SEO agency at 866.908.4748 or fill out our contact form to find out how to improve your site security with customized technical SEO services.