How To Secure Your Website With HTTPS (Updated)

Even if your website does not cater to sensitive data such as credit card details, there are good reasons to move your website from HTTP to HTTPS, and here's how to do it.

Web Design & Development
26th April, 2016

Moving your website to HTTPS

Why Secure Your Website with HTTPS?

Aside from obvious cases where data security is required, website security is also a consideration in Search Engine Optimization (SEO). Google uses a myriad of factors to decide how highly websites should be ranked for particular search queries, and in August 2014 Google announced that it would begin slightly favoring websites that are secured using HTTPS (when a website uses an "SSL Certificate", which is available from most web hosts). We always advise that every opportunity to outperform competitors in search engines should be taken - particularly if you do already own but do not use an SSL Certificate - and while the effects of this ranking signal are so far limited, Google has a history of incrementally placing more and more importance on newly-introduced ranking factors. We therefore expect it to eventually become the norm for websites to be secured in this way, even where it does not seem to be required from the perspective of data security (such as for credit card transactions).

Another reason to adopt HTTPS is if you plan on producing Accelerated Mobile Pages (AMP) for any or all of your website content. These are a relatively new development that further enhances the performance of websites on mobile devices, and must be hosted on a secure server.

How to Move from HTTP to HTTPS

After purchasing an SSL Certificate from your web host or a third-party provider, and installing it according to the provider's instructions, the process of moving your website to HTTPS has been made easier since Google's indexing system has been modified to look for the HTTPS equivalent of existing HTTP pages, even when these secure pages are not linked to from any other page. If an HTTPS version of a page exists, Google will typically choose to index this version instead of the non-secure version, as long as it has a valid certificate and does not contain insecure dependencies (such as images or JavaScript located at an insecure address),it is not blocked from being crawled, and it does not indicate to Google that it should use the HTTP version using a rel="canonical" tag.

However, there are still a number of steps that you need to follow in order to complete a successful conversion, and to ensure that your website does not suffer any drop in search engine rankings:

If your website contains "absolute" URLs, you will need to update all the links in your site to HTTPS rather than HTTP. Even if your site contains only "relative" links, you will need to update all your calls to files such as JavaScript files.
Redirect the HTTP versions of every page and file of your website to the new HTTPS equivalent using 301 redirects. It is important that you also include files such as images and JavaScript - not just your actual web pages. This can be achieved easily if your website is hosted on an Apache web server using some Apache redirect code. This allows Google to know that your web pages have permanently changed location, and also redirects users who may have bookmarked the HTTP version of your website.
Add a rel="canonical" tag to the HTTPS version of your pages that points to itself, indicating to Google that this is the version you would like indexed.
Update your XML Sitemap (if applicable) with the new HTTPS version of your website's pages.

Once you have completed these steps, and the new HTTPS version of your website is available to the world, there are few final steps to check that your set up is complete:

Test that your website is securely set up using the Qualys Labs SSL Server Test.
Set-up the HTTPS version of your website using Google's Search Console (the change-of-address setting does not apply to this conversion) and verify that you are the owner. Start using this website profile instead of the HTTP version's profile, and be vigilant for any problems.
Update as many links to your website that you can (for example from your social media profiles) with the new HTTPS version.
Don't forget to update links to your website in your email signatures and company stationary.

If everything has gone to plan, once Google has re-indexed your site in a week or so, the chances are that your search engine rankings will seamlessly be transferred to the secure version of your site, and the old HTTP version should disappear from Google's index. You may also notice a slight increase in your rankings for certain search queries, and an associated increase in visitors.

Last updated: 13th December, 2016