HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP — the protocol through which web browsers and servers communicate. HTTPS encrypts data in transit between the browser and server, protecting sensitive information (passwords, payment data, personal details) from interception. For SEO, HTTPS has been a confirmed Google ranking signal since 2014. All websites — not just those handling transactions or logins — should be served over HTTPS, as Google Chrome marks non-HTTPS sites as 'Not Secure', which reduces user trust and increases bounce rates.
Migrating from HTTP to HTTPS requires more than purchasing an SSL certificate. The migration involves implementing 301 redirects from all HTTP URLs to HTTPS equivalents, updating internal links to HTTPS, updating canonical tags, resubmitting XML sitemaps, and reverifying the HTTPS property in Google Search Console. An incomplete migration — with mixed content (HTTPS pages loading HTTP resources) or missing redirects — can cause ranking drops during an otherwise well-executed site improvement.
HTTPS migration checklist
- Install SSL certificate — free options include Let's Encrypt; paid options from your hosting provider or certificate authorities
- Enable HTTPS-only serving on the server — configure the server to reject HTTP and serve only HTTPS
- Implement 301 redirects — redirect all HTTP URLs to HTTPS equivalents at the server level
- Update internal links — change all internal links from http:// to https://
- Update canonical tags — change canonical URL declarations to HTTPS
- Fix mixed content — ensure all page resources (images, scripts, fonts) load over HTTPS
- Update Google Search Console — add and verify the HTTPS property; submit the updated sitemap
- Update external tools — analytics platforms, advertising tags, and third-party tools should use HTTPS URLs
Mixed content occurs when an HTTPS page loads some resources (images, scripts, stylesheets) over HTTP rather than HTTPS. Modern browsers block or warn about mixed content because HTTP resources on an HTTPS page create a partial security vulnerability — an attacker can intercept and modify the HTTP resources even though the page itself is served over HTTPS. For SEO, mixed content pages may not receive the full HTTPS ranking benefit and may trigger browser security warnings that increase bounce rate. Use the browser console or an audit tool to identify and fix mixed content after any HTTPS migration.
HTTPS is described by Google as a 'tiebreaker' signal — all else being equal, HTTPS pages rank above HTTP pages. In practice, the direct ranking impact of HTTPS is modest for most sites. The more significant impacts are indirect: user trust (browsers marking non-HTTPS sites as 'Not Secure' increases bounce rates), data accuracy (HTTPS referrer data passes cleanly in Google Analytics, whereas HTTP referrers are often stripped and appear as direct traffic), and credibility with users who notice the padlock icon. Any business website that has not yet moved to HTTPS should prioritise the migration.