A Guide to Migrating to HTTPS

It’s been a few years since Google started actively promoting the secure HTTPS connection. Having an SSL certificate has been considered an important visibility factor on Google as far back as 2014. Starting from 2017, all websites powered by the older HTTP technology have been marked as “not secure” by Google Chrome.

For comparison, secure websites are also marked with a special icon next to the address bar, which usually looks like a small lock.

A similar system is now in place on all popular web browsers.

The statistics do indeed show that the share of HTTPS-enabled websites is growing rapidly. Thus, these measures should motivate all website owners to migrate their websites from HTTP to HTTPS.

HTTPS uses the cryptographic SSL/TLS protocol for secure data transfer. This protocol needs the certificate to check whether the encryption key belongs to the site owner. You can turn to a certification authority to receive an SSL certificate that guarantees the validity of your digital signature.

The world’s largest certification authorities are Sectigo (previously known as Comodo) and DigiCert. Both let you buy an SSL certificate that will last for a given period of time (their service plans usually extend to 1 or 2 years). You can also usually receive or buy an SSL certificate from your website hosting provider.

If you wish to receive an SSL certificate for free, then you can also use Let's Encrypt and FreeSSL. Their certificates come with certain restrictions, but their feature suite should be enough for most common websites.

So, how do you know which option works best for you? There are three SSL protocol types to choose from:

• Domain Validation (DV SSL) validates your domain name.
• Organization Validation (OV SSL) validates your domain name and organization.
• Extended Validation (EV SSL) is the most secure option.

A website’s certificate type usually says a lot about the company and their data security.

SSL certificates can also be categorized based on their properties:

• Single Certificate only applies to a single domain, specified during purchase.
• Wildcard certificates secure the domain and all its subdomains but are also noticeably more expensive.
• Unified Communications/SAN are a good choice for companies that manage multiple domains.
• If your domain uses Cyrillic, you should get IDN support.

1. Change your internal absolute links to relative links. This includes text links as well as hyperlinks to images, videos, and header files. You should also set up your remarketing code and various scripts to utilize relative links with the domain name and no HTTP (such as //site.com/script.js).

2. Generate a new sitemap.xml file containing HTTPS addresses.

3. Edit the robots.txt file by including the correct link that leads to sitemap.xml with the correct HTTPS address.

4. Don’t forget to change the internal links in the tags rel=canonical, rel=alternate, and others if you’re using them on your website.

1. Set up Code 301 redirects from HTTP to HTTPS. The pages of your old website should lead to similar pages on your new website. If you changed your website’s internal layout after migration, then you can set up redirects to the new pages that serve similar functions to those of the old pages, and then set up another redirect from the new page to the correct address.

2. The robots.txt file and your website’s XML map should be accessible as both HTTP and HTTPS destinations.
   The content of both versions should match so that the bot can parse both addresses when checking for mirrors.
   You should use the address of the new HTTPS mirror when specifying a link to the sitemap.xml file in both robots.txt files.

3. Check your server responses and make sure that all mirrors in your group redirect the user to your desired main mirror. If you’re using sub-domains, then make sure to set up redirects for them as well.
   
   This also applies to versions of the same link that start with WWW. Make sure to set up mirror migration that follows the format of HTTP://www.subdomain.domain.com → HTTPS://subdomain.domain.com if your SSL certificate only applies to first-level domains. Otherwise, connecting to a subdomain mirror that starts with the WWW will result in a security error.

Make sure the settings let you access analytics data for your new HTTPS mirror. If you set up a separate mirror in Google Search Console instead of a domain resource, you will have to add and validate the HTTPS website manually.

Now just wait for the mirrors to merge, which shouldn’t take long. It usually takes one or two weeks for the HTTPS version of a website to replace the old version in search results ranking. However, the old version might still show up in search results for some time, as traffic data in the Search Console will show.

Your work isn’t done once you send that migration request. Keep in mind that no search engine guarantees results, so keep a close eye on your website’s ranking and indexing after migration.

You can use tools that help you analyze your website’s internal layout (e.g., crawlers such as the free-to-use Xenu Link Sleuth). This will help you find internal absolute links you might’ve missed and weed out redirect chains. After you fix those issues, bots will have an easier time processing your website, which means quicker re-indexing. This also sends a signal that tells search engines that you keep your website up to date.

Also make sure to update your website address on Google Maps and in catalogs, which will produce first-quality links to your HTTPS mirror.