HTTPS and Site Security
Last updated
HTTPS has been a confirmed Google ranking signal since 2014. It is also a baseline trust signal for users (browsers display warnings for HTTP pages, often dramatically). For any site published in 2026, HTTPS is a precondition, not an enhancement.
What HTTPS does
HTTPS encrypts the connection between a user’s browser and the server. Without it, anyone on the network path (Wi-Fi network operators, ISPs, malicious intermediaries) can read the contents of every request and response, modify them in transit, and impersonate the site.
The encryption is provided by a TLS certificate, signed by a trusted certificate authority. Modern certificate authorities (Let’s Encrypt, ZeroSSL) issue certificates free of charge. There is no longer any cost barrier to HTTPS implementation.
Implementation basics
The migration to HTTPS, for a site previously on HTTP, involves:
- Obtain a certificate. Free certificates from Let’s Encrypt (with automated renewal via tools like Certbot) cover the great majority of use cases. Wildcard certificates cover all subdomains; standard certificates cover a single domain or a defined set.
- Configure the web server. Listen on port 443; serve the certificate; redirect all HTTP traffic to the equivalent HTTPS URL via 301.
- Update internal references. All internal links, asset references, canonical tags, and structured data should use HTTPS URLs.
- Update sitemap and robots.txt. Sitemap URLs should be HTTPS; the robots.txt sitemap directive should reference the HTTPS sitemap URL.
- Update Search Console. Add the HTTPS property in Search Console; the HTTP property continues to exist but should now show declining traffic.
- Update third-party tools. Analytics, ad networks, marketing tools, anything referencing the site URL should be updated to HTTPS.
Mixed content
Mixed content is the most common HTTPS implementation problem. It occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets) over HTTP. Browsers either block the resources (active mixed content like scripts) or downgrade the security indicator (passive mixed content like images).
Audit for mixed content via:
- Browser DevTools console. Mixed content warnings appear automatically.
- Crawler reports. Screaming Frog and Sitebulb both flag mixed content during a crawl.
- Search Console security issues. Reports systemic problems.
Fix by updating all sub-resource URLs to HTTPS. For third-party resources that don’t support HTTPS (rare in 2026), either find an alternative or remove the dependency.
HSTS
HTTP Strict Transport Security (HSTS) is an HTTP response header that tells browsers to always use HTTPS for the domain, refusing to attempt HTTP connections even if the user types http:// explicitly.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadmax-age=31536000 (one year) is the conventional duration. includeSubDomains extends the policy to all subdomains. preload opts the domain into the HSTS preload list maintained by browser vendors, removing even the first-visit window where downgrade attacks are theoretically possible.
HSTS is a strong commitment. Once enabled, it cannot be quickly reversed, because browsers cache the policy. Implement carefully on production sites, and only after confirming HTTPS works reliably across all subdomains and asset paths.
Other security headers worth setting
Content-Security-Policy (CSP). Restricts which sources of scripts, styles, and other resources the browser will execute. Significantly reduces XSS attack surface. Requires careful configuration to avoid breaking legitimate functionality.
X-Content-Type-Options: nosniff. Prevents browsers from second-guessing the declared MIME type of a response. Mitigates a class of attacks that exploit MIME type confusion.
Referrer-Policy. Controls how much referrer information is sent with outbound requests. strict-origin-when-cross-origin is a sensible default.
Permissions-Policy. Controls which browser features (camera, microphone, geolocation, etc.) the page can request. Most sites should explicitly disable features they don’t use.
X-Frame-Options: SAMEORIGIN or frame-ancestors in CSP. Prevents the site from being embedded in iframes on other domains, mitigating clickjacking.
These headers don’t directly affect SEO rankings, but they affect security posture, user trust, and (in some cases, like CSP-related JS errors) page rendering.
HTTPS and rankings
The direct ranking effect of HTTPS is small. Google has described it as a tiebreaker between otherwise equivalent results. The indirect effects are larger:
- Browser warnings on HTTP pages dramatically reduce CTR and time on site.
- Mixed content errors harm Core Web Vitals.
- Insecure connections prevent the site from using modern web platform features (HTTP/2, HTTP/3, service workers, push notifications).
- AI crawlers treat insecure sites with reduced trust.
The cumulative effect of being on HTTPS is much larger than the small direct ranking signal would suggest.
Common HTTPS problems
| Problem | Effect |
|---|---|
| Mixed content | Browser warnings, blocked sub-resources |
| Certificate expiry | Site inaccessible until renewed; trust collapse |
| Wrong certificate domain | Security warnings; users abandon |
| HTTP not redirecting to HTTPS | Indexing fragmentation; duplicate content |
| Internal links still pointing to HTTP | Wasted redirects; equity loss |
| HSTS misconfiguration | Subdomains inaccessible; difficult to reverse |
Frequently asked questions
Do I need an EV (Extended Validation) certificate? No. EV certificates were once distinguished by browsers via a green address bar; that distinction has been removed. Standard DV (Domain Validation) certificates from Let’s Encrypt are functionally equivalent for SEO purposes.
Does HTTPS slow down the site? The cryptographic overhead of HTTPS is negligible on modern hardware. HTTPS is also a precondition for HTTP/2 and HTTP/3, which are significantly faster than HTTP/1.1. Net effect on performance is positive.
Should I use HTTP/2 or HTTP/3? Both. Most CDNs and modern web servers support both. HTTP/3 (over QUIC) provides additional performance improvements over HTTP/2, especially on lossy connections. There is no SEO downside to using either.