TRAFFIC
property. This results in the HTTP property losing all traffic and rankings and the HTTPS version gaining it. However, it may take more than 90 days to get a good overview of the impact, and Search Analytics in Google Search Console is only available for the last 90 days.
The combined set will provide an overview of the total rankings and the total impact of the move to HTTPS, which is also available for download, using the Search Analytics API 9 and / or a download button in the Search Analytics overview page.
Update incoming links Now that the website is fully migrated to HTTPS, the rest of the world needs to be told. If the website is part of a larger network of websites belonging to the same organisation, then go to each website in the( internal) network and update all references of the website to the HTTPS version. This may require talking to different teams in the organisation and / or searching within the databases to find and update all link references to the HTTPS version.
Often links to the website are also present in the email signatures of employees, the official social media profile pages of the website and / or organisation( e. g. Twitter, Facebook, Pinterest, etc.), and the company profile pages on LinkedIn, Yellow Pages, Wikipedia, local business directories, PPC campaigns and ads, social media ad campaigns, newsletter software and / or mailing lists, direct marketing ad copy, videos, Analytics software, third party ranking tracking and reporting software, Google My Business listings, business cards, third party review platforms, etc. Not all of these need to be updated straight away, but do change those you can as soon as possible, and be sure to schedule the rest to make sure the changes are made in the near future.
Last but not least, go to the‘ links to your site’ overview in Google Search Console and find the most important links to the website. This may be the important business partners, news coverage or domains that link often to the website. Reach out to these websites and inform them that the website has moved to HTTPS. This could also be a great opportunity to communicate what your team can do for them and see if a business collaboration is possible.
Content security policy To avoid any mixed content issues, be sure to add a content security policy 10 to the website. This policy is aimed at restricting certain resources from being loaded and prevents XSS attacks. However, in this guide, the focus is only on the upgradeinsecure-requests feature.
Upgrade-insecure-requests are used to upgrade any internal link reference, to assets and / or other internal pages, from a HTTP request to a HTTPS request in the browser. For example, the following link references in the source code:
< a href =” http:// www. example. com /”> example </ a >
< img src =” http:// www. example. com / image1. png” />
are automatically upgraded by the browser to:
< a href =” https:// www. example. com /”> example </ a >
< img src =” https:// www. example. com / image1. png” />
To enable this with. htaccess in Apache, just add the following HTTP header:
Header set Content-Security-Policy“ upgrade-insecure-requests”
Alternatively, use the following code in the HTML source of the HTTPS version:
< meta http-equiv =” Content-Security-Policy” content =” upgrade-insecure-requests” />
This will force all links to be upgraded to HTTPS, and this may break things in the website. Be sure to test the website to see if it looks and feels correct.
HSTS HSTS, which stands for HTTP Strict Transport Security, is used to prevent redundant redirections in browsers for websites that operate solely on HTTPS.
To explain this in other words, ask yourself( or your users):“ How often does anyone type the protocol into the address bar of a browser when typing a domain name?”
Figure 6: Adding the‘ S’ to HTTP
Most likely the answer is:“ Almost never.” The problem is that browsers default to HTTP when a domain name is typed in, which means that when a domain name( without protocol) is typed in, the browser requests the HTTP version, e. g. http:// www. example. com, and then, assuming that the redirection rules are set up correctly, the browser gets from the server a 301 response with a new location, e. g. https:// www. example. com /. Now, the browser has to start the entire process all over again and send the next request to the HTTPS version before any content can be downloaded and presented to the user( see Figure 7).
Hence, HSTS came into being. With HSTS, a website that is operating solely and entirely on HTTPS can submit its domain name to be preloaded into the browser.
Figure 7: Waterfalls for websites not HSTS preloaded and HSTS preloaded
10 https:// developers. google. com / web / fundamentals / security / csp /
22 iGB Affiliate Issue 63 JUN / JUL 2017