HTTPS & SSL: ensuring user trust… and AI bots.

1. "https://" protocol on the page URL
2. Validity of the domain's SSL certificate
3. Security of external resources (scripts, links, iframes)
4. HTTPS redirects and subdomains
5. Certificate issued by a recognized authority
6. Presence of an HSTS (Strict-Transport-Security) HTTP header

1. "https://" protocol on the page URL

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It ensures that data exchanged between the user's browser and the website is encrypted, thus protecting the confidentiality and integrity of the information. Google has made HTTPS a ranking factor, and generative AI engines also favor secure sources for their answers.

Make sure all pages on your site are accessible via https:// and that the protocol is applied consistently across the entire domain. Any attempts to access via http:// should be automatically redirected to the secure version.

2. Validity of the domain's SSL certificate

The Secure Sockets Layer (SSL) certificate is a digital file that authenticates a website's identity and enables an encrypted connection. A valid SSL certificate is essential for establishing a secure HTTPS connection. An expired, revoked, or invalid certificate will display security warnings to users and search engines, severely damaging trust and SEO.

Regularly check the validity of your SSL certificate. Make sure it's up to date and that there are no configuration errors. Online tools allow you to quickly check the status of your certificate.

3. Security of external resources (scripts, links, iframes)

For a page to be fully secure over HTTPS, all resources it loads (images, scripts, stylesheets, iframes, etc.) must also be loaded over HTTPS. Loading insecure resources on an HTTPS page (mixed content) can result in security warnings and compromise the trust of users and search engines.

It is advisable to audit all external resources loaded on your pages to ensure they use the HTTPS protocol. Update the URLs of resources from http:// to https:// or use relative URLs if possible.

4. HTTPS Redirects and Subdomains

HTTPS protocol consistency must extend across your entire domain, including subdomains and all redirects. An insecure subdomain or a redirect that goes through an HTTP version can create vulnerabilities and indexing issues.

Make sure all subdomains (e.g., blog.yourdomain.com, shop.yourdomain.com) and all redirect chains consistently lead to HTTPS versions. Avoid redirect loops or multiple redirects that can slow page load times.

5. Certificate Issued by a Recognized Authority

To be considered trustworthy by browsers and search engines, an SSL certificate must be issued by a recognized Certificate Authority (CA). Self-signed certificates, while technically valid for encryption, are unreliable because they cannot be verified by a trusted third party, leading to security warnings.

Obtain your SSL certificate from a recognized certificate authority (e.g., Let's Encrypt, DigiCert, GlobalSign). Avoid using self-signed certificates for publicly accessible sites.

6. Presence of an HSTS (Strict-Transport-Security) HTTP Header

The Strict-Transport-Security (HSTS) HTTP header is a security policy that forces web browsers to interact with a website only over HTTPS connections. This helps prevent man-in-the-middle attacks and ensures that users cannot accidentally access an insecure version of the site.

Implement the HSTS header on your web server. This tells browsers to always use HTTPS for your domain, even if the user types http:// or clicks on an http:// link. The HSTS header should be configured with an appropriate max-age and, if applicable, include the includeSubDomains parameter.

Resources & useful links

• Mozilla Developer Network (MDN) - HTTPS
• Let's Encrypt
• OWASP - HTTP Strict Transport Security Cheat Sheet