Need the #1 SEO strategist and optimiser in Brisbane?Click here →

HTTPS and Site Security

12 min readLast reviewed: March 2025

HTTPS (secure HTTP) encrypts data between a user's browser and your server. It's been a minor but confirmed ranking signal since 2014. More importantly, it's a security best practice and critical for user trust.

What Is HTTPS?

HTTPS is HTTP (Hypertext Transfer Protocol) encrypted with TLS (Transport Layer Security, formerly SSL). When you visit an HTTPS site, your browser and the server create an encrypted connection. Any data transmitted is unreadable to eavesdroppers. Without HTTPS, data travels in plain text — anyone on the same network could intercept passwords, credit card numbers, or session cookies.

HTTPS as a Ranking Signal

In August 2014, Google announced HTTPS as a ranking signal. Google confirmed it was a "lightweight" signal — meaning site speed, content quality, and backlinks matter far more. However, it is a confirmed ranking factor. All else equal, the HTTPS site ranks slightly higher.

More importantly, HTTPS is no longer optional for credibility. Browsers show a "not secure" warning for HTTP sites. Users see this and distrust the site. For e-commerce, it's a conversion killer. For reputation, it's damaging.

The Real Reason for HTTPS
HTTPS is primarily for security and user trust, not for rankings. The ranking boost is real but minor. Implement HTTPS because it protects users and your site's reputation.

SSL/TLS Certificates

HTTPS requires an SSL/TLS certificate. This is a digital file issued by a Certificate Authority (CA) that proves your identity and enables encryption. The good news: SSL certificates are now free through Let's Encrypt, a non-profit CA. Most hosting providers offer one-click HTTPS setup with Let's Encrypt.

Types of Certificates

  • Domain Validation (DV): Verifies you own the domain. Fastest and cheapest. Let's Encrypt issues DV certs. Suitable for most websites.
  • Organization Validation (OV): Verifies your organisation. Shows more details in the certificate. Rarely needed.
  • Extended Validation (EV): Displays your business name in the browser bar (older browsers only). Mostly obsolete. Rarely needed.

For SEO and general use, a DV certificate from Let's Encrypt is perfect. It provides the same encryption as expensive certificates.

Mixed Content Issues

Mixed content occurs when an HTTPS page loads HTTP resources. For example, your page is at https://example.com, but it loads an image from http://cdn.example.com. This breaks the security promise and modern browsers show warnings or block the insecure content.

Active vs Passive Mixed Content

  • Active mixed content: Scripts, stylesheets, iframes. Browsers block these. Your site will be broken.
  • Passive mixed content: Images, videos. Browsers allow this but show warnings. Your content loads but the lock icon disappears.

How to Fix Mixed Content

Audit your site for HTTP resources. Search your HTML and CSS for http://. Update all to https://. For third-party resources (ads, analytics, widgets), contact the provider to use HTTPS. If a third party doesn't support HTTPS, consider switching providers.

Many sites add a security header to auto-upgrade HTTP requests to HTTPS:

Content-Security-Policy: upgrade-insecure-requests

This tells browsers to automatically upgrade http:// requests to https://, preventing mixed content errors.

Security Headers

Beyond HTTPS itself, security headers provide additional protection by instructing browsers on security policies. Key headers:

  • HSTS (HTTP Strict-Transport-Security): Tells browsers to always use HTTPS for your domain. Prevents downgrade attacks.
  • Content-Security-Policy (CSP): Restricts which scripts, styles, and resources can load. Prevents XSS attacks.
  • X-Frame-Options: Prevents your site from being embedded in iframes on other sites. Blocks clickjacking.
  • X-Content-Type-Options: Prevents browsers from guessing file types. Stops MIME-sniffing attacks.

These don't directly affect SEO, but they protect your site and users. Most hosting providers allow you to set headers in configuration files.

Migrating from HTTP to HTTPS

If you currently run on HTTP and want to migrate to HTTPS (which you should):

  1. Obtain an SSL certificate (use Let's Encrypt for free).
  2. Enable HTTPS on your server.
  3. Update all internal links in your content from http:// to https://.
  4. Update canonical tags to use https:// URLs.
  5. Update your sitemaps to list https:// URLs.
  6. Set up 301 redirects from all http:// pages to https:// equivalents.
  7. Resubmit your sitemap to Google Search Console under the https:// property.
  8. Add the https:// site as a new property in GSC and set it as the primary version.

Google will follow the 301 redirects and consolidate your ranking signals. However, give it time (weeks to months) for full consolidation.

Common Mistake
Do not just enable HTTPS without setting up 301 redirects. If you only enable HTTPS without redirecting HTTP traffic, you'll have two versions of your site (HTTP and HTTPS) competing in search results. Always redirect HTTP to HTTPS.

Checking Your HTTPS Setup

Visit your site and look at the browser bar. A green lock icon means HTTPS is properly configured with a valid certificate. A warning or "not secure" message means an issue. Common issues: mixed content, expired certificate, or self-signed certificate (not from a trusted CA).

Use SSL checking tools like SSL Labs (ssllabs.com) or Qualys SSL Test to audit your setup. These tools check certificate validity, encryption strength, and security headers.