Everyone has heard about HTTPS now being a new ranking signal in the eyes of Google. But when it comes to implementation and our clients are asking us how to do it, everything turns a little bit more complicated, doesn’t it?
With this HTTPS Migration Cheat Sheet we will try and make things a bit simpler both for you and/or your client. We will cover the basics: why is it important; when, what and by who it needs to be done, a bit of information on security certificates and the best practice and SEO implications of doing it.
What is it and why is it important?
HTTPS (Hypertext Transport Protocol Secure) is the protocol that protects the confidentiality and the integrity of your user’s data. This ensures all the user’s information is secured once they have engaged with your site in any way.
Having a secure connection will make your users feel safe when they share any important information on your site. And of course, this is extremely important for Google. At the moment this is a very weak ranking signal, but with more and more information being shared online every day, it is expected that it will be strengthen in the future.
When does this need to be done and by who?
At the moment most of the e-commerce websites are already using HTTPS on the pages where sensitive data is transmitted (i.e. payment or login pages). But Google has been quite clear in its announcement saying that HTTPS should be implemented in all pages of the website.
The logical process of the implementation of https is the following:
1. Someone (the business, in our case, the SEO agency!) identifies the fact that not all the pages are secure on the site by checking the browser bar for the “https://” start.
2. The business buys the certificate (After deciding what kind they need and from where to buy it).
3. The SEO team makes sure the development team knows the best practices and plan a redirect strategy.
4. The development team then implements the changes. These changes can be performed on the web.config file or global.asax file (AKA ASP.NET application file). Here there are some links with a more technical guide on how to do it.
[tweetable alt=””]Having HTTPS will make your users feel safe when sharing information on your site [/tweetable]
What are security certificates; types, providers and cost?
To enable HTTPS to be used on your site (or the client’s) you need to obtain a security certificate. This is normally issued by a CA (Certificate Authority), which will ensure that your web address belongs to your organization. It is recommended to choose a 2048-bit key to ensure the highest level of security. If your site currently has a weaker key (1024-bit), we’d recommend upgrading to a more secure one.
Once you are ready to choose your certificate, make sure you get it from a reliable CA that also offers technical support. This will ensure you have support in every step of the way and they’ll help you out if you or the development team get stuck in the process.
Depending on what kind of website you have, you will need one of three types of certificate:
- Single certificate for single secure origin (e.g. www.example.com).
- Multi-domain certificate for multiple well-known secure origins (e.g. www.example.com, cdn.example.com, example.co.uk).
- Wildcard certificate for a secure origin with many dynamic subdomains (e.g. a.example.com, b.example.com).
A small number of multinational companies dominate the market for security certificates. It is quite difficult to enter in the market due to the high number of technical requirements and, although is not required by law, some of these providers undergo security audits to be included on the list of web browser trusted authorities.
Some of the companies that provide security certificates can be found below:
The cost of this certificate varies depending on the provider, and there are some of them who offer it free or for prices as low as £50/year. Providers mentioned above offer certificates on a range of prices from £200 to £900 a year with discounts available for longer periods of time.
[tweetable alt=””] Get your security certificates from a reliable CA that also offers technical support[/tweetable]
SEO checklist & Best Practice:
If you adhere to the following checklist, there should be no downfalls in terms of SEO when you move over to HTTPS. Google itself has stated that there will be no negative ranking changes due to websites doing this move. In fact, when done properly, this change will help your website rank better!
• User server-side 301 redirects to redirect your users and search engines from your old HTTP pages to the HTTPS ones.
• Ensure all canonical and hreflang tags on the website are pointing to the HTTPS versions of the pages.
• Use relative URLs instead of absolute whenever possible.
• Update your robots.txt file ensuring no https pages have been blocked.
• Register the HTTPS version of your site in both Google and Bing Webmaster Tools.
• Use the Fetch and Render tool in GWMT to see if Google can crawl and render the site properly.
• Update your sitemap and submit it to GWMT.
• If you need to, update your Google Analytics code.
• You need a web server that supports HSTS (HTTP Strict Transport Security) and you need to ensure it is enabled. This tells Google to show only the secure pages on the SERPs, and also tells the browser to request the HTTPS pages, even if the user types http in the browser bar. Basically, by using a server that supports HSTS you are minimizing the possibilities of your users getting to content that is not secure.
If you have 45 minutes spare, Google produced a useful HTTPS everywhere video presentation, which is definitely worth a watch.