HTTPS/SSL and Website Security
What is HTTPS/SSL?
HTTPS (HTTP Secure) is a protocol that encrypts the data exchange between a website and the visitor’s browser. This encryption is provided through an SSL/TLS certificate held by the site; the certificate acts as a digital document that verifies the site’s identity to the browser. The lock icon in the browser’s address bar indicates that the connection is encrypted and the certificate is valid.
Data sent over HTTP is transmitted in plaintext; this means a third party on the same network (e.g., a public Wi-Fi network) could read the data. HTTPS encrypts this data, making it readable only by the sender and recipient.
SSL certificates are typically valid for a specific period (e.g., one year) and must be renewed when they expire; today, many hosting providers automate this process to ensure the certificate renews automatically, reducing the need for manual tracking.
Why is this important?
HTTPS protects user data (form submissions, login credentials, payment information) against man-in-the-middle attacks. Google considers the use of HTTPS a minor ranking signal, and browsers display a “Not Secure” warning for HTTP sites; this directly affects user trust.
An insecure site reduces visitors’ willingness to stay on the site; in particular, users filling out forms or making payments may leave the site without completing the transaction when they see the “Not Secure” warning. This is a trust issue that directly affects the conversion rate.
Additionally, most modern browser features (e.g., location services, notifications, certain payment APIs) work only over HTTPS; a site that remains on HTTP cannot take advantage of these features at all and becomes increasingly limited from a technical standpoint.
How to fix it?
- Install a valid SSL certificate on your site and set up automatic renewal to prevent it from expiring.
- Redirect all HTTP requests to the HTTPS version using a 301 redirect.
- Resolve mixed content warnings: Ensure that all images, scripts, and CSS files on the page are loaded over HTTPS; otherwise, the browser may mark the page as “partially secure.”
- If possible, add an HSTS (HTTP Strict Transport Security) header to force the browser to always connect to the site via HTTPS.
- Reduce redirect chains (such as HTTP → HTTPS → www → non-www, where multiple redirects occur in sequence) to a single step; each additional redirect adds a small delay to the page load time.
- Verify that resources provided by third-party services (such as an image CDN, form provider, or chat widget) are also served over HTTPS; these are often the overlooked sources of mixed content issues.
Example
# .htaccess example
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Bad example: After switching to HTTPS, forgetting to update old <img src="http://example.com/logo.png"> absolute HTTP links on the page; this triggers a mixed content warning in the browser even if the page appears secure overall.
Common Mistakes
- Leaving the HTTP version open instead of disabling it; this allows the site to remain accessible via both HTTP and HTTPS, resulting in duplicate content across two different addresses.
- Leaving images or scripts on the page that are still loaded via HTTP while the page is under HTTPS (mixed content).
- Allowing the SSL certificate to expire; in this case, the browser may mark the site as completely inaccessible.
- Creating unnecessary redirect chains consisting of multiple steps.
- Obtaining a certificate only for the main domain name and excluding subdomains (e.g., blog.example.com).
- Still using old HTTP addresses in internal links (menu, footer, internal links); this triggers an unnecessary 301 redirect with every click and slightly slows down page loading.
- Still referencing old HTTP addresses in sitemaps and canonical tags; this sends mixed signals to search engines.
- Accidentally migrating a self-signed certificate used in the local development (localhost) environment to the live environment configuration; browsers do not consider such certificates trustworthy.
- Seoraporu.co’s report flags the absence of HTTPS or mixed content warnings as high priority in the technical findings section, as they affect both security and performance simultaneously.