HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users’ connections to your website, regardless of the content on the site.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
Authentication—proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
Use robust security certificates
You must obtain a security certificate as a part of enabling HTTPS for your site. The certificate is issued by a certificate authority (CA), which takes steps to verify that your web address actually belongs to your organization, thus protecting your customers from man-in-the-middle attacks. When setting up your certificate, ensure a high level of security by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048 bits. When choosing your site certificate, keep in mind the following:
Use server-side 301 redirects
Redirect your users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects.
Verify that your HTTPS pages can be crawled and indexed by Google
We recommend that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
To support HSTS, use a web server that supports it and enable the functionality.
Although it is more secure, HSTS adds complexity to your rollback strategy. We recommend enabling HSTS this way:
Consider using HSTS preloading
If you enable HSTS, you can optionally support HSTS preloading for extra security and improved performance. To enable preloading, you must visit hstspreload.org and follow the submission requirements for your site.
Avoid these common pitfalls
Throughout the process of making your site secure with TLS, avoid the following mistakes:
|Expired certificates||Make sure your certificate is always up to date.|
|Certificate registered to incorrect website name||Check that you have obtained a certificate for all host names that your site serves. For example, if your certificate only covers www.example.com, a visitor who loads your site using just example.com (without the “www.” prefix) will be blocked by a certificate name mismatch error.|
|Missing Server name indication (SNI) support||Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you’ll need a dedicated IP if you need to support older browsers.|
|Crawling issues||Don’t block your HTTPS site from crawling using robots.txt.|
|Indexing issues||Allow indexing of your pages by search engines where possible. Avoid the noindex meta tag.|
|Old protocol versions||Old protocol versions are vulnerable; make sure you have the latest and newest versions of TLS libraries and implement the newest protocol versions.|
|Mixed security elements||Embed only HTTPS content on HTTPS pages.|
|Different content on HTTP and HTTPS||Make sure the content on your HTTP site and your HTTPS is the same.|
|HTTP status code errors on HTTPS||Check that your website returns the correct HTTP status code. For instance 200 OK for accessible pages, or 404 or 410 for pages that do not exist.|
Migrating from HTTP to HTTPS
If you migrate your site from HTTP to HTTPS, Google treats this simply as a site move with URL changes. This can temporarily affect some of your traffic numbers. See the site move overview page to learn more.
Add the new HTTPS property to Search Console: Search Console treats HTTP and HTTPS separately: data is not shared between properties in Search Console.
source : Google