logo-small
Features Prices
News 0
Latest News See All

Temporarily unavailable. Please come back later.

See All
Webinars 0
Upcoming Webinars See All
Upcoming Webinars

Sorry, we could not find any upcoming webinars.

See recorded webinars
Blog 0
Recent Posts See All

Temporarily unavailable. Please come back later.

See All
Amel Mehenaoui

HTTP to HTTPS: Best Practices for Top Ranking

Amel Mehenaoui
HTTP to HTTPS: Best Practices for Top Ranking

Google has a global goal to secure the web. While a noble goal, it requires website owners to become more tech-savvy and invest more in securing their websites. Secure search means Google will give more ranking authority to content and e-commerce websites that have an SSL/TLS certificate.

The easy barrier of entry to websites development for entrepreneurs and local small businesses might become more technically challenging and more expensive; thus, the importance of having a detailed SEO tutorial.

The main goal of this short but detailed SEO tutorial, inspired by the Google I/O 2014 conference, is to help you move your website’s domain from http to https easily without forgetting an important step. I invite you to carefully go through this SEO checklist (in the order presented) to make sure you are aware of all the most important items that are sometimes overlooked even by most savvy SEO specialist.

Verify All the Non-https Domain Types with Google Webmaster Tool

You have to realize that a successful website move depends on proper — and up-to-date — Webmaster Tools settings, so if you haven’t already completed the site verification of your http domain variant, then I urge you to do it today.

Important: You should always use the same email address when verifying your site URLs variants in Google Webmaster Tool. Not doing so can result in failed domain ownership verification and you could get annoyed very fast because you will find out that Google will be unable to recognize that all the URLs variants of your domain are actually referring to the same website.

Also, to simplify the domain ownership verification process, please use the same email address that you have connected your Google Analytics accounts with.

http-to-https-webmaster-verification-google-img

Get a Free SSL Certificate for One Domain (Doesn’t Include Sub-Domains)

The first step in the moving process from http to https site is to configure the required SSL/TLS certificates on your server. I’m not going to cover this in details in this article, but I do invite you to read this case study by Andrea Pernici where you will be able to follow a step-by-step tutorial showing you how to get your own free SSL certificate.

Just remember that once the SSL is setup you must verify it by running your site on ssllabs.com tool.

This tool tells you what’s missing on your server so you should test your site using it every time you change your site’s configuration.

Add the HSTS Mechanism to Secure Your Subdomains

Before you do anything, you first have to verify that your web server supports HTTP Strict Transport Security (HSTS) and make sure it is enabled.

HSTS: What is it All About?

The HSTS is a mechanism by which a server can indicate that the browser must use a secure connection when communicating with it. Its main goal is to protect web users against some passive eavesdropping.

The HSTS policy is communicated by the server to the web browser via a HTTP response header field named "Strict-Transport-Security." It automatically turns any insecure links referencing the web application into secure links. This means that every time a user tries to access your site it automatically takes them to the https site even when they enter http in the browser location bar. This is good for the site’s performance because it actually skips the http redirect and it will apply the rewrite in the client before it even sends the request.

Why Should You Care About HSTS?

First, you have to realize that in the non-existence of the “includeSubdomains” directive the web application at “yourwebsite.com” domain would be incapable to protect its main “domain cookie” in an effective way, even though the host has set a secure https "flag."

However, by adding the “includeSubdomains” directive, the browser will force any of your subdomains (example: urblog.yourwebsite.com) to operate over HTTPS therefore ensuring sufficient security for domain level cookie.

Now, from an SEO point of view, you should know that serving HSTS is taken by Google Algorithm as a signal that shows that you really want Google to index the secured pages and only serve secure URLs in the search results.

http-to-https-hsts-google-img

In the example above, the time period max-age=10886400 is the specified period of time during which the web browser shall access the server in a secure-only fashion.

Select Preferred Domain (https with or without www)

This is a very important step that you should never overlook because not specifying the preferred domain inside Google Webmaster Tool (GWT) will result in having Google treat the www and non-www versions of your domain as different references to separate sites.

You have to understand that search engines like Google consider each URL variant of your domain name (subdomain vs. root domain) as a separate domain in itself. This important fact has a very strong influence on your website SEO and, thus, its ranking on the search engines.

Add Self Canonical Tag to Your https Domain

Adding the rel="canonical" tag element will signal to the search engines that they should consolidate the page ranking and the links pointing to each individual URLs variants on a uniquely specified, preferred URL.

Since you are moving all your domain’s URLs to https you have to add the canonical tag to your preferred version of https URL (obviously the one you specified in GWT).

http-to-https-canonical-google-img

Implement a Permanent Server-Side 301 Redirects of All Your Domain Variants to Https

It’s strongly recommended to avoid creating chained redirects (e.g., Page A > Page B > Page C), and instead just redirect to the final target destination URL (it's indeed faster for the user, especially when they try to access your site on mobile devices).

Here is a very important advice by Google on how you could help search engines see your site as secure: Use relative URLs for resources that reside on the same secure domain.

For example, use <a href="/service/yourpagename.php"> to refer to a page on your site urdomain.com, rather than <a href="https://urdomain.com/service/yourpagename.php">. Doing so ensures your links and resources always use HTTPS.

Check Bots’ Reports and Submit https Sitemap in Google Webmaster Tool

  • Check ‘’Index Status’’ Report

If you are doing everything right you should see your unsecured website goes to zero and your secured one go up. Don’t panic, and just be patient. Google call this ‘’move over time,’ which means everything will be consolidated, but you may experience some hiccups.

http-to-https-gwt-indexing-report-google-img

  •  Check ‘’Crawl Errors’’ Report:

You should know that Google has algorithms that automatically detect that a site move has been implemented and they are able to alter Googlebot’s crawling behavior so that their indexing quickly reflects the site move. This is the reason why it’s very important that you frequently run — during your http to https move — a ‘’Crawl Errors’’ Report in GWT to make sure that there are no crawling errors and to fix them if it’s the case.

  • Create and Submit an https Sitemap:

Create new sitemap with the list of all the https pages and submit it to major search engines using the related Google and Bing Webmaster Tool Profile.

  • What if You’ve Already Submitted a Disavow List?

Final advice, if you’ve uploaded a file to disavow links on your http site, Google recommends to re-upload it again using the Webmaster Tools account of the new https site.

Final Thoughts to Consider

Before you start, carefully follow the steps stated in this SEO tutorial and remember to make a full back-up of your website prior to start implementing any changes.

If you feel overwhelmed by all this, then I recommend for you to hire a technically savvy webmaster to take care of the http to https move of your domain. Outsourcing the move is a smart investment that can free you from all the technical headaches that can occur if you do it yourself.

Now, let's make the Internet secure...one website at a time!

Amel Mehenaoui is a Digital Marketing Strategist who is passionate about SEO and Web Analytics. She is keen on extracting actionable insights from web data to improve websites' and campaigns’ performance. Her passion is to share her expert tips and advice about digital marketing on her SEO blog, which is dedicated to helping small business owners, entrepreneurs and professionals expend their knowledge of web marketing to grow their profits and expertise. Follow her on Twitter.

Comments

2000 symbols remain
Ajit Kular
Ajit Kular
It is important to plan your https upgrade properly for smooth and easy shift. One should consider updating to https in the lowest traffic time period. The timing is key variable here. 39 more points of https migration here http://www.cueblocks.com/blog/...
Amel Mehenaoui
Ajit Kular
Thanks Ajit for your interesting tip. You're right, we have to be very carful with the move since Google mentioned that we can see a loss of traffic. It may not be a good idea for an ecommerce site to make go from http to https in the holidays season for example.
Schnitzelboy
From all I've heard Https has been implemented by many. And Google is not hammering it. But a great explanation for transition to https.
Cheers
Amel Mehenaoui
Schnitzelboy
You are right Schnitzelboy. Https is being implement by many and this post is really to reinforce the key items to complete for a correct http to https implementation as recommended by Google during the Google I/O 2014 conference.

I'm glad you liked the explanation! I wanted to make a simple checklist that's easy to print and follow :)
Guest
From all I've heard Https has been implementer by many. And Google is not hammering it. But a great explanation for transition to https.
Cheers
Gatelogix
Gatelogix
@amel. great posts but i would like to mention that its not of as high importance as you are projecting it. however, you've explained its implementation very effectively.
Amel Mehenaoui
Gatelogix
Thanks Gatelogix for your nice words. My goal in this post is to mention the high importance of a correct implementation and nothing else. I'm indeed explaining the implementation of it so that website owners don't miss any important step and risk to lose all their rankings. Thanks for your comment!
Haizrul Amrie
Haizrul Amrie
nice share sir. Many thanks :)
George Prodromou
George Prodromou
Why would you set a https site-wide? It reduces your crawl rate, therefore reduces overall authority on deeper pages. Only use HTTPS where it is actually necessary
Amel Mehenaoui
George Prodromou
Thanks George for your input. As Google explains it very well: ''Crawl rate refers to the speed of Googlebot's requests during the crawl process'' which mean the speed at which googlebot crawl a page and Google continue by saying that it doesn't have any effect on how often or how deeply googlebots crawl your URL structure.

In fact you can even increase or decrease the speed at which the googlebots crawl your site. Also, adding a sitemap with all the new https url will make the crawling speed more efficient since the bot will find your list of https urls all in one xml page.

Here is a link from Google support explaining how to Change Googlebot crawl rate. I hope you'll find this helpful.

George, thanks again for your comment.
George Prodromou
George Prodromou
Amel Mehenaoui
I'm sorry to be a pain but I'm looking at it from a technical perspective. First of all I wouldn't listen to a word Google or anyone says until I have tested it myself. Running SSL site-wide slows crawl rate and here is why, Crawl rate can be improved by improving your time to first byte incase you are unaware. When we add an ssl we are adding an extra 120ms give or take for an SSL connection to take place and around 100ms for the server to respond (TTFB) with the html file, If we have a very large website then these times add up which reduces your crawl rate. You can setup a test site and test it for yourself if you like. This is why leading e-commerce websites like amazon, ebay etc don't use SSL site-wide as their crawl rate will drop by more then 40% and that will have a huge impact on their rankings. Should you use SSL yeah for sure but I can't agree with using SSL on pages which don't need it.
I have a lot more to say regarding this subject but I don't like to educate the ever guessing SEO public :)
Amel Mehenaoui
George Prodromou
Hello George,

You're not a pain at all. I do actually appreciate the time you take to comment and enrich the conversation.

I do understand your point and I'm not disagreeing with you.

SSL is very important for ecommerce sites and may not be mandatory for content sites like a regular blog. So at the end of the day it should be a strategic decision that should be discussed between concerned department and not taken slightly.

My checklist was actually put together to mainly make sure that when we are implementing the move from http to https we do not forget some important items in term of technical SEO best practices.

George, thanks again for your detailed comments and for sharing your valuable opinion.
Have a Suggestion?