Switching from HTTP to HTTPS – Migration Guide

HTTPS protocol

Switching to HTTPS protocol – What has to be considered?

The switching of websites to the secure HTTPS/SSL protocol has been on everyone’s lips for a long time. In addition to classifying SSL encryption as a ranking factor, Google also is going to identify websites as insecure if they do not use a secure protocol when retrieving user data, e.g. in forms. This makes the migration to HTTPS indispensable for most online offers and should not be postponed any longer, as otherwise a ranking loss can occur. In this article we will tell you what you should bear in mind when switching your website to HTTPS.

What are HTTPS, SSL and TLS?

HTTPS (HyperText Transfer Protocol Secure) is a communication protocol used to transfer data in a secure manner. If this protocol is not used, data transmitted over the Internet can theoretically be read by others as plain text. The protocol is very similar to HTTP, except that the data is encrypted using the SSL/TLS encryption protocol. SSL (Secure Sockets Layer) is the widely known term, although this standard is now obsolete and has been replaced by TLS (Transport Layer Security). In addition to encrypting the data, HTTPS also provides authentication for the connected partners, so that the identity of a website can be checked and thus cyber fraud such as phishing can be prevented.

Where can I get an SSL/TLS certificate?

SSL/TLS certificates are available from several vendors. It is certainly easiest to obtain the certificate directly from the hosting provider of your own website or web space, e.g. Host Europe GmbH. Alternatively, certificates can also be purchased from the certification bodies or through intermediaries. In order for a valid certificate to be issued, the identity of the purchaser must first be verified. There are three variants of validation procedures that meet different standards, as listed below:

Certificates with Domain Validation (DV):

The domain-validated certificates are suitable for smaller websites, e.g. with a contact form or for bloggers. The application only checks whether the applicant is in possession of the rights of use for the domain. The validation usually takes place via an e-mail to the domain holder. Domain-validated certificates are available from about 20 EUR per year.

Certificates with Organization Validation (OV):

The organization-validated certificate is suitable for websites where transactions with sensitive data take place. This type of validation is more extensive and therefore more secure than the domain validation, as the company information and the entry in the commercial register are also checked. Due to the complex validation process, this certificate is more expensive than the certificate with domain validation, but offers a higher degree of security. The offers start at approx. 180 EUR per year.

Certificates with Extended Validation (EV):

The Extended Validation certificate has the highest authentication level and is therefore suitable for websites that collect credit card information or other sensitive data. This certificate is only issued by special authorized awarding offices, that also check the company information in more detail. Since it guarantees the highest security level, it is also the most expensive certificate, the package prices start here at approx. 720 EUR per year.

Wildcard SSL Certificates

Furthermore, there are so-called Wildcard SSL certificates, which make it possible to protect any number of subdomains with only one certificate. This means that if a company uses several subdomains such as “shop.domain.com” or “domain.com”, they can be protected with only one certificate. For this type of certification, however, additional costs usually arise in addition to the usual certificate costs.

Free certificates – for technically experienced people

Another way to switch the website to SSL/TLS is to use free certificates.

For this Cloudflare offers a one-click SSL certification that allows the user to make each of his pages HTTPS-enabled with one click. The advantage is that SSL certificates cannot expire and the website owner does not have to inform himself regularly about possible SSL vulnerabilities in order to make adjustments in time. Cloudflare offers detailed integration instructions on its website: https://www.cloudflare.com/ssl/

Another provider is letsencrypt, which also offers a free variant of SSL certification. This requires the ACME protocol (Automatic Certificate Management Environment), which usually runs on the web host. In addition, the web host should have shell access or SSH access. A description of the installation is provided on the website: https://letsencrypt.org/getting-started/

With the free options, we strongly recommend that you contact a server administrator to avoid errors or even major conversion problems.

Steps to switch HTTP to HTTPS

The various procedures for switching from HTTP to HTTPS are explained in more detail below.

Search engines classify pages that can be reached with http:// and https:// as two different Internet addresses. If any redirect hasn’t been integrated, the website is accessible twice and with the same content. Therefore, it is important to set up a redirect from the HTTP site to the HTTPS site to avoid duplicate content. Below you will find some options for server-side redirects.

Note:

It is important that not only the homepage is forwarded correctly, but all URLs of a domain, as otherwise duplicate content can also be created by subpages.

301-Redirect

A 301-redirect transmits the HTTP status code 301 (moved permanently). This means that a URL or an HTML document has been permanently forwarded to another URL. The advantage of the 301-redirect is that this form of redirecting URLs passes on almost 100 percent of the linkjuice, i.e. the strength of the page through backlinks from other pages.

For example, the 301 redirect can be implemented via the .htaccess file for the Apache web server or via the PHP programming language.

PHP

<?php
if (isset($_SERVER["HTTPS"])===FALSE || empty($_SERVER["HTTPS"])===TRUE) {
   header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
   exit();
}

APACHE

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Setup via vhost configuration

The “Virtual Host – vhost” configuration exists to redirect different host names to different contents.

The following VirtualHost configuration for Apache allows easy redirection from one domain to another. The ServerAlias directive on certain subdomains allows to forward all subdomains at once to the desired domain.

vHost Config for Apache

<VirtualHost _default_:80>
   ServerName www.example.com
   Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost _default_:443>
   ServerName www.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

NGINX

server {
  	listen     	80;
  	server_name	example.com;
  	return     	301 https://$server_name$request_uri;
}

Canonical-Link

Additionally a canonical link should be implemented. This tag tells search engines to index only the linked canonical URL. As a result, the HTTP page no longer appears in the search results. The implementation of a canonical tag is only a recommendation to the search engine not to index the corresponding page and does not provide the optimal solution for a switch from HTTP to HTTPS.

Note:

In this context it should not be forgotten that already set canonical tags on the website must be adapted, because these may still be provided with the HTTP protocol.

Internal linking

Internal links include not only the links in the page navigation, but also links that have been set manually. Many content management and shop systems already adapt most links automatically after a switch. However, you should check all links to avoid unnecessary redirections.

Internal Links:

Even if 301-redirects prevent incorrect links, all internal links should be changed after switching to HTTPS. If your CMS does not change automatically, internal links must be changed manually.

External Links:

To make changes to external links, you have to contact the person who set the link to your website. Depending on how many external links there are, it is advisable to get in touch with all or rather the most important sites and ask for a change.

Javascript, CSS files, images etc.

Don’t forget the switching of embedded media (images, videos, CSS, JS), which must also be referenced via HTTPS. These often are not changed automatically and require manual processing. This also includes stylesheet or JavaScript files and external plug-ins, e.g. from Facebook.

Note:

If embedded media have not been converted to secure HTTPS, annoying messages will appear in the browser.

XML Sitemaps

An XML sitemap is used to make it easier for search engines to index web pages. Basically, an XML sitemap is a list of all subpages of a website and should ensure that all web pages are found and crawled by search engine robots. When switching to HTTPS, the XML sitemaps must be regenerated using HTTPS URLs.

HREFLang links

Many online shops or websites are available in several languages. The content of pages in different languages usually differs only slightly, so it is important to communicate the geographical orientation to Google as well. This not only informs the search engine which pages in which country should be displayed in the search results, but also improves usability for the user. Google itself recommends using the link attribute markup rel=”alternate” hreflang=”x”. If this has already been integrated on basis of the website’s http://page, it also has to be changed during the switching to https://.

It could look like this:

<link rel="alternate" href="https://www.example.com/de" hreflang="de-de" />
<link rel="alternate" href="https://www.example.com/en" hreflang="en" />

What else should be considered?

Google Analytics / Tracking

In order to retrieve data from the new property in Analytics, the Google Search Console must be re-linked with Google Analytics. In the settings for property and data view at Google Analytics the URL of the website should be changed, so that from now on all data of the HTTPS page can be received. Therefore a redirect from HTTP to HTTPS is required.

Google Search Console

Create a new property of the HTTPS version in the Google Search Console. You can easily check if there are hints or error messages when indexing the new pages. Not to be forgotten is the updating and storage of any XML Sitemap. (see XML Sitemaps)

A new property must be set up and, if available, a newly created sitemap with HTTPS URLs must be submitted. In order for Google to quickly become aware of the new protocol of the domain and index its content, the search engine should be asked to crawl the new website.

In the Google Search Console, you can send individual URLs to the Google index by using the menu item “Crawling” > “Open Fetch as Google”. The Search Console provides enough information about this process.

Google AdWords / Bing Ads

Adware like Google AdWords or Bing Ads should also be adapted to the protocol of URLs. You should switch the target pages from HTTP to HTTPS accordingly. In Google Adwords this can be done in the ad processing via a simple dropdown field next to the target URL.

Summary / Checklist

Here you will find a summary of all the important steps you should consider when switching from HTTP to HTTPS:

  • Set up server-side 301-redirect (for all subpages!)
  • Customize or add canonical links
  • Update Google Search Console
  • Update Hreflang Markup
  • Update Google Search Console
  • Update XML Sitemap
  • Migrate web statistics tools such as Google Analytics
  • Customize external and internal links
  • Check images, videos, CSS, JS and change them if necessary
  • Customize URLs in adware (AdWords etc.)

With Seobility you can easily test which discrepancies are present on your website and then optimize your site. Redirects from HTTP to HTTPS are analyzed and in case of problems the tool shows you corresponding errors. If your website is accessible using HTTP and HTTPS, pages are indexed several times and duplicate content is generated. This strongly has to be avoided.

One last note

An invalid or expired certificate leads to a warning message in the browser window – the goal of conveying trust and security to the user is thus missed. So update your certificates in time so that the user is not discouraged by alerts.

Note that Google needs some time to completely re-index your website. So you have to be patient until the switch completely has arrived at Google.

Further information:

https://orangebox.co.uk/how-to-changeover-to-https-protocol-from-http-and-improve-security/

Image: Website with ssl certificate @fotolia/gomixer

seobility

AvatarThe Seobility teams supports you gladly with any questions regarding the optimization of your website.

4 thoughts on “Switching from HTTP to HTTPS – Migration Guide

Avatar
Skrotbiler Reply
25. March 2019 20:21

Thanks so much for the article, to support me as i was confuse after using https and ssl.

Avatar
Komodo tours Reply
14. February 2019 6:04

Thanks so much for the article, to support me as i was confuse after using https and ssl. Hope make better protection and trusted to my website.

Avatar
Urmil Skin Clinic Reply
18. January 2019 8:26

Very good article I read the whole contents then i could be able to understand How to convert our website HTTP to HTTPS , so thanks for publishing this most helpful articles.

Avatar
wordpress Reply
10. January 2019 18:16

Awesome article I was for such as was just transferred to ssl

Leave a Reply

Your email address will not be published. Required fields are marked *