A focus on the HTTPS protocol, on how it works, on the reasons that could convince you to use it, but also on how to plan a migration from HTTP to HTTPS and on some of the most common questions on this topic. We talk about this in the new appointment with the series Webmaster Conference Lightning Talk, in which John Mueller, Google’s Search Relations Lead, guides us to discover this sensitive and useful topic for all sites.

Mueller di Google parla di HTTPS

What HTTPS means and how to use it on the site

It starts from the basics, the Googler tells us, and then right from the definition of HTTPS, a protocol that identifies a secure connection between a site and its users, protecting the site from unwanted activities.

For security, HTTPS ensures three things:

  1. Authentication. It is a way to make sure users interact with the desired website and not an intermediary.
  2. Data integrity. A secure connection prevents data tampering, so that users see the content as intended.
  3. Encryption. It is a guarantee that the information exchanged between a website and its users will be kept safe.

I 3 motivi per usare HTTPS

These are three key pillars for a modern, safe and reliable web, because “your users should feel safe on your site, just as they feel when visiting your business in person”.

A requirement for modern web browsers

Being a key element of the modern web, HTTPS is also a basic requirement required by modern browsers to enable certain features, such as

  • Geolocation
  • Auto-fillings of forms
  • Camera
  • Progressive Web App (PWA)
  • Push norifications
  • Caching

The protocol is also shown directly in modern browsers, or better yet – since it should be active by default – the absence of HTTPS is reported (and therefore it is not possible to hide whether a site adopts the system or not).

Che cosa significa HTTPS

When users access a website that does not use HTTPS in Chrome, for example, the same will be referred to as unsafe in the browser bar, with a red lettering that alerts the visitor (while sites with HTTPS are labeled as “protected” with a more reassuring green lettering).

A slight boost to the ranking

Another reason to implement the HTTPS protocol is the slight boost to the ranking that Google can give to secure pages. A “slight” increase, as Mueller admits, and that still does not avoid the possibility that HTTP pages can still classify themselves better than HTTPS pages when their content is more relevant to the query.

How to switch to the HTTPS protocol

There are therefore many reasons to adopt the HTTPS, says Mueller, which then goes on to briefly explain how to switch from HTTP to HTTPS, which can be considered a migration of the site, because HTTPS URLs are different from their HTTP counterparts and thus, to perform the transfer, you need to redirect all users with a redirect 301 server side for all site URLs.

Mueller divides the migration process into six steps:

  1. Configure the HTTPS site.
  2. Verify the property in Google Search Console.
  3. Test the HTTPS site extensively.
  4. Redirect all HTTP URLs to HTTPS URLs.
  5. Monitor migration in Google Search Console.
  6. Configure HTTP Strict Transport Security (HSTS) – optional.

The steps to successfully complete the migration from HTTP to HTTPS

First, then, you have to configure the HTTPS site, possibly asking for the support of the hosting service and acquiring the appropriate HTTPS certificate (in principle, all the certificates supported by modern browsers such as Chrome, even the free ones).

The exact steps to follow here vary from website to website, explains Mueller: “sometimes it’s just a matter of changing a setting, other times there’s a lot more”.

Secondly, you need to verify the property in the Google Search Console, a crucial step to track down any problems associated with HTTPS version 2. You can also choose to check the entire domain, to join HTTP and HTTPS data in the same place, taking care to use the same settings. In particular, be careful to review the settings for the removal of geotargeting URLs, the settings of the URL parameters, the crawl rate settings and the Disavow file, adding any co-owners in the Search Console.

Items to test on the site

The work continues with an important and in-depth test phase of the site, opening the test to some users as well: “Sometimes there are some oddities that we have missed, and it is better to recognize and fix them before moving to the HTTPS version”, explains Mueller.

Among the aspects to be verified is first of all the possible presence of mixed content, that is when a page on HTTPS includes elements from HTTP, which can be for example embedded images, advertising or analytical script.  It is a downside to security and browsers warn users when they recognize this issue.

We also need to check the internal links, to make sure that all the website links point to the HTTPS version: there are various tools to check this aspect, but you can also just click on the browser bar and look at the URL that is displayed.

It is also important to analyze hidden references – bringing to HTTPS elements such as rel=canonical, rel=alternate, hreflang= links, as well as structured data – and check the sitemap files, which help Google to scan and index more efficiently.

The work to implement an HTTPS site

Completed the first three steps, “the HTTPS site is ready, congratulations! It’s time to change everything”, jokes Mueller, who invites you to use server-side redirects to forward all requests from the HTTP version to the new and correct HTTPS version.

It is advisable to double-check all the old URLs to make sure that they redirect correctly, either by manually doing random tests on each part of the website or by using an automatic tool for all URLs. If we have a sitemap, it is a good time to send it, adds the Google Search Relations Lead, because from now on search engines will start using our HTTPS URLs.

We then move on to monitoring the migration in Search Console: it is preferable to regularly check the Search Console at the beginning, to identify any situation before it degenerates into problem. In particular, we must check that the sitemap files are processed normally, that there are no unexpected crawl errors, that the index coverage report shows an increase for the HTTPS site and, last but not least, that users are finding the HTTPS site in Search.

What is the HSTS enabling

The last step is optional and allows you to “go to the next level”: after making sure that everything works as planned, and having waited a few months to fix the migration, it might be useful to consider enabling the HSTS – HTTP Strict Transport Security – a system “to let browsers know that they no longer need to further control the HTTP version of your site” because “it’s a long-term commitment on your part”.

Setting up HSTS is quite easy: just add a header to the server’s responses that tells browsers that they no longer need to check the old HTTP version of your site’s Urls, even when a user tries to go there directly. In addition, there’s still one step you can take, namely adding the site to the HSTS preload list, a shared list of sites that have committed to HTTPS used directly in Chrome: “a pretty big step, so it is only recommended if you are absolutely certain that everything works properly on your HTTPS site”.

The most frequently asked questions on the HTTPS migration

Migration to HTTPS is not something that “a site does every day”, so it is natural to have doubts and ask questions: before concluding its intervention, Mueller has just collected some of these FAQ and provided answers and best practices to accurately complete the operations without any mistake.

  • How long do I have to keep the redirects active?

Redirects should remain active forever: there is no reason not to redirect from HTTP to HTTPS after a migration.

  • Can I just move a few pages?

Technically you can only move a few pages to HTTPS, such as only the user login. Basically, Mueller says it doesn’t take much more work to do to move the entire site, which is what should be done anyway.

  • Which HTTPS certificate should I use?

Any certificate supported by a modern Web browser is fine and Mueller specifically cites the free certificates of the non-profit organization Let’s Encrypt.

  • How long does a migration take?

Google has a lot of experience with HTTPS migrations, says Mueller, so they can usually be processed within a week if all the steps are correct. However, in practice, exact timing does not really matter, as users will still be redirected.

  • Will the migration damage the current ranking of my site?

“Usually not,” says Mueller (reiterating the debunk of urban legends about migration), because it is always the same site, included on the Web in the same way. Indeed, the rankings could benefit from the slight increase mentioned above.

  • Can I restore my previous status, if necessary?

Technically yes, but it is not recommended. Instead of going back, Mueller recommends solving any problems and moving forward.

Call to action