HTTPS is a secure connection between your website and your users. It protects your website from unwanted activity. For security, HTTPS ensures three things.
First, Authentication – This is how users can be certain they’re engaging with your website and not some intermediary.
Second, Data Integrity – When your business is active online, you want to be sure that your users see your content exactly in the way that you provided.
Third, Encryption – Information users enter and content they view should be kept between your website and your users.
These three pillars of HTTPS are critical for secure and trusted modern web. Your users should feel safe on your site just like they would feel if they visited your business in person. Because HTTPS is such a foundational element of the modern web, it’s also a requirement for many modern browser features. In particular, you need HTTPS in order to access features like geolocation, auto-fill, camera, progressive web apps, push notifications and more. HTTPS is also directly shown in modern browsers, or rather, because it should be active by default, the lack of HTTPS is shown. When users access a website that doesn’t use HTTPS in Chrome, for example, it will be flagged as being insecure in the browser bar.
Finally, Google Search gives pages that use HTTPS properly a slight ranking boost. So, you can see there are lots of reasons to go to HTTPS.
But how do you do it?
HTTPS URLs are different than their HTTP counterparts so, to switch over, you need to redirect everyone from HTTP URLs to the HTTPS version. This is generally done with a server-side 301 redirect for websites that’s generally considered to be a site migration.
First, set up your HTTPS site. For this, you might need help from your hoster and you’ll need an HTTPS certificate. In general, all certificates supported by modern browsers like Chrome will do fine.
The exact steps you need to follow here vary from website to website. Sometimes it’s just a matter of changing a setting, other times there’s a lot more involved.
Second, verify ownership in Google Search Console. This is critical so that you can track issues associated with your HTTPS version. Additionally, you may also opt to verify the whole domain, which would combine the HTTP and HTTPS data in one place. Make sure to use the same settings in Search Console. In particular, review the settings for geotargeting URL removals, the URL parameter settings, the crawl rate settings, and the disavow file.
Mixed content is when a page on HTTPS includes elements from HTTP. For example, you might have embedded images, ads, or analytic script with HTTP. This is bad for security and browsers will warn users when they recognize it. Make sure that all internal links within your website go to the HTTPS version too.
There are various tools to check this but you can also just click around in your browser and watch the URL that’s displayed.
If you use a rel=canonical or rel=alternate hreflang= link elements, adjust them to HTTPS.
If you use structured data, make sure that all URLs refer to the HTTPS version.
Check your sitemap files. Sitemap files help us to crawl and index more efficiently. So, it’s important to point at the correct URLs there. Now, the HTTPS site is ready.
In other ways, use server-side redirects to forward all requests from the HTTP version to the HTTPS version. Double-check that all of the old URLs redirect by trying samples of each part of your website manually or use a tool to automatically check all URLs. If you have sitemap file, this is a good time to submit that too. Search engines will now start to use your HTTPS URLs.