HTTPS (Hypertext Transfer Protocol Secure) encrypts data between browsers and servers using SSL/TLS certificates. It has been a Google ranking factor since 2014. HTTPS protects user data, displays a padlock icon in browsers, and is required for Chrome to show “Secure.”

What is HTTPS?

HTTPS is the secure version of HTTP, the protocol used to send data between browsers and websites. The “S” stands for Secure.

HTTPS provides:

  • Encryption of data in transit
  • Authentication of the website
  • Data integrity verification
  • User trust signals (padlock icon)

HTTP vs HTTPS

AspectHTTPHTTPS
EncryptionNoneSSL/TLS encrypted
Port80443
Browser display”Not Secure” warningPadlock icon
Data securityVulnerableProtected
SEODisadvantagedRanking boost

SSL/TLS Certificates

What is SSL?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols that establish encrypted connections.

Certificate functions:

  • Encrypts data transmission
  • Verifies website identity
  • Enables HTTPS protocol
  • Displays trust indicators

Certificate Types

TypeValidationUse CaseCost
Domain Validation (DV)Domain ownershipMost websitesFree-Low
Organization Validation (OV)Business verificationBusinessesMedium
Extended Validation (EV)Extensive verificationE-commerce, banksHigh

Certificate Providers

Free options:

  • Let’s Encrypt (automated, 90-day renewal via Certbot)
  • Cloudflare (free SSL with their CDN - good for Malaysian sites via Singapore edge)
  • Many web hosts include free DV certificates (Shinjiru, Exabytes, SiteGround)

Paid options:

  • DigiCert
  • Comodo (Sectigo)
  • GlobalSign
  • GoDaddy

HTTPS as a Ranking Factor

Google’s Position

Timeline:

  • 2014: HTTPS announced as ranking signal
  • 2017: Chrome shows “Not Secure” for HTTP
  • 2018: Chrome marks all HTTP pages “Not Secure”
  • Today: HTTPS is the baseline expectation

Impact level:

  • Described as “lightweight” signal
  • One of hundreds of ranking factors
  • Tie-breaker between similar pages
  • User trust impact may outweigh the direct ranking boost

Beyond Rankings

HTTPS affects more than rankings:

FactorImpact
User trustUsers expect padlock
Browser warningsHTTP shows warnings
Referral dataHTTPS to HTTP loses referrer
Modern featuresRequired for HTTP/2, Service Workers
ConversionsTrust impacts purchase decisions

Implementing HTTPS

Step 1: Obtain SSL Certificate

Options:

  • Use Let’s Encrypt (free, automated)
  • Get from web host (often one-click)
  • Purchase from certificate authority
  • Use Cloudflare’s free SSL (no server config needed)

Let’s Encrypt with Certbot:

# Install certbot
sudo apt install certbot

# Obtain certificate
sudo certbot --apache -d example.com

Step 2: Install Certificate

Installation varies by server:

Apache:

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
</VirtualHost>

Nginx:

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
}

Step 3: Redirect HTTP to HTTPS

Redirect all HTTP traffic to HTTPS.

Apache (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

Change all internal links to HTTPS.

Update:

  • Navigation links
  • Content links
  • CSS/JS references
  • Image sources
  • Canonical tags

Step 5: Update External References

Update:

  • Google Search Console (add HTTPS property)
  • Google Analytics (update default URL)
  • Social media profiles
  • Business listings
  • External links you control

Step 6: Submit New Sitemap

Update sitemap with HTTPS URLs and resubmit.

<url>
  <loc>https://example.com/page/</loc>
</url>

Common HTTPS Issues

Mixed Content

HTTP resources loaded on HTTPS pages.

Types:

  • Mixed active content (scripts) - blocked by browsers
  • Mixed passive content (images) - warning

Fix:

  • Update all resource URLs to HTTPS
  • Use protocol-relative URLs (//)
  • Use Content-Security-Policy headers

Chrome DevTools Console tab highlights mixed content warnings with the specific resource URLs.

Redirect Chains

Multiple redirects before reaching HTTPS.

Bad:

http://example.com -> http://www.example.com -> https://www.example.com

Good:

http://example.com -> https://www.example.com

Certificate Errors

ErrorCauseSolution
Expired certificateNot renewedRenew/automate renewal with Certbot
Name mismatchWrong domain on certGet correct certificate
Untrusted issuerSelf-signed or unknown CAUse trusted CA
Chain incompleteMissing intermediate certInstall full chain

Canonicalization

Ensure canonical tags use HTTPS.

<link rel="canonical" href="https://example.com/page/">

HTTPS Best Practices

Security Configuration

Enable:

  • TLS 1.2 or higher
  • Strong cipher suites
  • HSTS (HTTP Strict Transport Security)
  • Certificate transparency

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Performance Optimization

HTTPS adds minimal overhead with modern optimizations:

  • Use HTTP/2 (requires HTTPS)
  • Enable OCSP stapling
  • Use session resumption
  • Implement TLS 1.3

Monitoring

Regular checks:

  • Certificate expiration (automate with Certbot or Cloudflare)
  • SSL Labs test (ssllabs.com) for configuration grade
  • Mixed content warnings in Chrome DevTools
  • Security headers via securityheaders.com

HTTPS Migration Checklist

Pre-Migration

  • SSL certificate obtained
  • Certificate installed correctly
  • Test HTTPS version works
  • Backup current site

Migration

  • 301 redirects HTTP to HTTPS
  • Internal links updated
  • Canonical tags updated
  • Sitemap updated
  • robots.txt accessible via HTTPS

Post-Migration

  • Search Console HTTPS property added
  • Analytics updated
  • External profiles updated
  • Mixed content fixed
  • HSTS enabled
  • Certificate monitoring set up

HTTPS is no longer optional. It is a confirmed ranking factor, required for user trust, and necessary for modern web features like HTTP/2 and Service Workers.

Use free certificates from Let’s Encrypt or Cloudflare for most sites. Implement proper 301 redirects, update all internal references, and monitor for mixed content issues. For Malaysian sites, Cloudflare’s free tier provides both SSL and CDN with a nearby Singapore edge node - a straightforward setup that covers security and performance in one step.

Combine HTTPS with other technical SEO best practices like page speed optimization and Core Web Vitals for comprehensive technical health.

Frequently Asked Questions

Is HTTPS a ranking factor?
Yes, HTTPS has been a confirmed Google ranking factor since 2014. Google calls it a 'lightweight' signal, meaning it's one of many factors but not the strongest. However, HTTPS is now considered standard, and HTTP sites may be penalized in user trust even if not directly in rankings.
How do I get an SSL certificate?
Get SSL certificates from: Let's Encrypt (free), your web host (often included), or certificate authorities like DigiCert or Comodo. Most hosts offer one-click SSL installation. For most sites, free certificates from Let's Encrypt are sufficient. E-commerce sites may prefer extended validation (EV) certificates.
Will migrating to HTTPS hurt my rankings temporarily?
Properly executed HTTPS migration should not hurt rankings. Use 301 redirects from HTTP to HTTPS, update internal links, submit new sitemap, and update Search Console. Some fluctuation is normal during transition but rankings typically stabilize within weeks.
How do I set up free HTTPS with Cloudflare?
Sign up for Cloudflare's free plan and point your domain's nameservers to Cloudflare. Enable 'Full (Strict)' SSL mode and turn on 'Always Use HTTPS.' Cloudflare provisions a free SSL certificate and handles HTTPS termination at its edge - no server configuration needed. This works well for Malaysian sites since Cloudflare has a Singapore edge node.