What is HTTPS?
"HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of your users' data between the user's computer and the website." - This is how Google defines the term "secure internet" in the Search Console Help .
If data packets are sent via HTTPS, they are protected by the Transport Layer Security protocol, or TLS for short. It is located in layer 4, the transport layer. TLS has three levels of security:
-
Encryption: against the interception and stealing of data.
-
Data integrity: data cannot be changed.
-
Authentication: protects against man-in-the-middle attacks
How can I tell that a site uses HTTPS?
You can recognize this from the address bar: Depending on the browser, it is symbolized differently that this page is "secure": In Chrome, it is a green lock with the following URL, which is marked with a green
"https://"
. In Firefox, the lock is also green. The browsers also inform you if the security certificate has expired or is missing.
Why should I switch to HTTPS as a website operator?
HTTPS protects personal data (name, address, email, bank details, etc.) when interacting with your website. Above all, login data and passwords must be protected. Encryption has now become established - users expect their data to be protected. HTTPS allows you to strengthen your users' trust in your company, which is a very important factor in customer relationship management.
What are the switchover options?
In the Search Console Help, Google recommends switching over with all subpages. However, it is also possible to only provide individual pages with HTTPS. John Mueller (Google) also answers this question in the same way: According to him, it is no problem to switch over with individual pages and add more later. It is also fine to convert pages to HTTPS in several "waves".
However, Arocom recommends switching all sites directly in one go.
What are the requirements for the switch?
In order to give your site HTTPS, you need a certificate, whereby it is irrelevant to Google where it comes from. It must not be expired and must be accepted by the common browsers.
If you search for "TLS encryption", you will find a number of fee-based offers. However, the provider Let's Encrypt has also been offering free certificates in the beta phase since December 2015. (Brief information: The TLS standard has evolved from the SSL standard)
You also need your own IP address (unless you are using a Let's Encrypt certificate). You can obtain this from your provider on request. You then need to install the certificate on your server and all the requirements are met.
How to switch your website to HTTPS
Create redirects
The first step is to add redirects, as the website should only be accessible via HTTPS. This means that all previous links that went to HTTP must be redirected to HTTPS. This is achieved via a 301 redirect (permanent redirect) in the server's .htaccess file (if you are using an Apache server). Without an Apache server, make the changes in your host configuration.
From an SEO perspective, redirects are essential: they direct the visit to the correct destination and also transfer the linkjuice to the new destination without loss.
With the help of redirects, we ensure that internal absolute links (e.g.
http://www.beispiel.de/spezielle-seite/...
) and relative links, e.g.
/special-page/page-3/
as well as external backlinks that target HTTP are redirected to the new page. In general, however, we recommend that internal links are always created relatively so that no action is required in this case.
Customize markup
Each page receives a "canonical tag"
to show which page is the page to be indexed. The new HTTPS pages also receive a canonical tag on themselves. Is this necessary? According to Mueller, it makes sense, as it is a clear sign for search engines of the relevance of the page, but it is no guarantee that a page will be indexed.
Clean up
After all your URLs have changed, you still need to create a new XML sitemap. CMS such as Drupal offer simple procedures for this. Internal links and external links should be adjusted manually over time, even if a 301 redirect is specified. This will keep your system in order.
Set up the Search Console
In the Search Console, formerly Google Webmaster Tools, you now specify that you have both the HTTP and the HTTPS page and create a separate property for both versions. Google will crawl the new page and then remove the permanently redirected pages from its index. In the "Google Index" - "Indexing status" area, you can observe how the number of indexed pages decreases in the HTTP version and increases in the HTTPS version for both properties. You can also determine whether there are any errors during the migration.
It is not possible to predict how quickly the Googlebot will crawl and process the new URLs, but it sometimes depends on the speed of your server and the number of URLs. Experience shows that a medium-sized website will take a few weeks until most of the pages have been moved; larger websites may take longer.
Monitor traffic
Monitor Search Console
-
Crawling errors: Check regularly whether crawling errors have occurred and rectify the problem.
-
Search queries: Check whether the search queries are changing as expected.
Monitor traffic with other tools
Use tools such as Google Analytics, SISTRIX, OnPage.org etc. to monitor whether your new website is working properly and whether traffic is being generated. Check the server log files and derive suggestions for improvement if necessary.
HTTPS migration and SEO
There may be a loss of visibility when you switch your website to HTTPS. However, these are usually short-lived and can be largely avoided with the above-mentioned preparations. By using 301 redirects in particular, you ensure that the link juice is forwarded directly to the correct destination. This also directly avoids the problem of duplicate content, as only one version of the content can be indexed.
Best practices for the use of HTTPS
-
Use strong security certificates with a 2,048-bit key.
-
Redirect users and search engines to the HTTPS page via server-side 301 redirects.
-
Use relative URLs for all internal links.
-
Use a server that supports and has activated HTTP Strict Transport Security(HSTS). HSTS ensures that the browser calls up the HTTPS page directly, even if the user has only entered HTTP. This option also ensures that Google displays the new "secure" URLs in the search results.
-
Make sure that your new HTTPS pages can be crawled and indexed by Google if you want them to be: robots.txt should not exclude any pages and pages should not be set to "noindex" in the head. You can use the Search Console and other analysis tools to find out whether pages are crawlable and indexable or not.
Some of the images used in this article come from other sources. You can find the sources in the imprint.