This post is part one of a two part series on HTTPs and HTTP/2 migra­tions. To learn more about migrat­ing to HTTP/2, click here.

On Septem­ber 8th 2016, Google announced that in 2017, they will “mark HTTP pages that collect pass­words or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” Simply put, Google is moving closer to a secure web by includ­ing warn­ings in the Chrome browser for sites that are not secure.

2017 is right around the corner, but it’s not too late to learn how to migrate your website to HTTPs. In this blog post, you’ll learn about why this change happened, what it means for your website, and how you can get your HTTPs migra­tion up and running.

How did we get here?

Since the 2014 I/O Confer­ence, Google has made secu­rity one of their top prior­i­ties both for their own prop­er­ties as well as the web as a whole. In 2014, Google indi­cated that websites served over HTTPs would receive a rank­ings boost going forward. This came as big news to many in the SEO indus­try, but the ROI asso­ci­ated with a migra­tion of this magni­tude remained unclear.

Conven­tional wisdom indi­cated that the move to HTTPs, espe­cially for large, enter­prise sites, incurred more risk than reward. HTTPs migra­tions aren’t without compli­ca­tions, and many compa­nies have actu­ally expe­ri­enced a drop in SEO visi­bil­ity when they migrated to HTTPs (’s migra­tion is a good example).

So what has changed? Simply put, we are reach­ing crit­i­cal mass. When Google announced the initia­tive to reward secure websites, only about 7% of all page 1 Google search results were secure websites. Now, that number is closer to 30% and is growing rapidly.

Numer­ous sites have already taken the plunge into HTTPs, and the number contin­ues to increase. Accord­ing to BuiltWith, of the top million sites, 9% are currently SSL by default. This is up from 2.7% in Septem­ber 2015.

Top Million Sites with SSL by Default —

Clearly, the scales have started to tip in favor of those with secure sites. But despite the diffi­cul­ties of migra­tion, there are measur­able bene­fits.

Site security affects your brand, for better or worse

If the small rank­ings boost wasn’t moti­va­tion enough, the website shaming immi­nent in 2017 greatly increases the risk of nega­tive brand asso­ci­a­tions. Having your site flagged by Chrome as inse­cure will certainly have an adverse impact on your brand. But, the converse is true for secure sites.

Having an HTTPs site not only provides an added level of secu­rity, but also builds customer trust. Accord­ing to a study by Glob­al­Sign, over 9 out of 10 customers are more likely to trust a site, leave personal infor­ma­tion, or make a purchase when they know their data is sent over a secure connec­tion.

Even more astound­ing? 55% of users are worried about iden­tity theft online. 77% of users are concerned about their data being misused online. And a whop­ping 84% would abandon a purchase if data was sent over an inse­cure connec­tion. Unsur­pris­ingly, users look for secu­rity indi­ca­tors before taking action online:

Clearly, HTTPs is impor­tant not just for your search rank­ings, but also for main­tain­ing posi­tive brand­ing and achiev­ing maximum ROI.

HTTPs improves your analytics data

When an HTTPs (secure) site links to an HTTP (non-secure) site, this can cause the header infor­ma­tion to be blocked. This means that if your site is not secure, and a secure site (like Google) links to you, any header infor­ma­tion from that domain is missing and the sessions are cate­go­rized as “Direct” in Google Analyt­ics. Simply put, not having a secure site makes header information—such as refer­ral source—more likely to be incor­rect.

There are two solu­tions to this problem:

  • Completely migrate the whole site to HTTPs.
  • Add the HTML5 tag <meta name="referrer" content="always" /> to the head of the HTML docu­ment.

Because the HTML5 tag is currently supported on limited browsers, it’s wise to fully migrate to HTTPs to prevent data confu­sion in your analyt­ics plat­form. Here’s how you do it.

How to Migrate to HTTPs

First things first: obtain an SSL certificate

Before you start migrat­ing to HTTPs, you need to make sure you obtain an SSL certifi­cate from a provider and install the certifi­cate on your server. This certifi­cate enables an encrypted connec­tion to the website and provides secu­rity for online commu­ni­ca­tions.

There are three types of certifi­cates:

  • Single certifi­cate — for single site (e.g.
  • Multi-domain certifi­cate — for multi­ple well-known sites (e.g.,,
  • Wild­card certifi­cate — for a site with many dynamic subdo­mains (e.g.,

Google recom­mends that your certifi­cate be 2048 bits, and the author­ity issuing the certifi­cate will need to verify that the web address belongs to your orga­ni­za­tion.

Google also recom­mends that webmas­ters use a web server that supports HTTP Strict Trans­port Secu­rity (HSTS) and that it is enabled. HSTS tells the browser to request pages using HTTPs auto­mat­i­cally even if the user enters “http” in the browser. HSTS also indi­cates to Google to serve secure URLs in search results.

The SSL certifi­cate should also be installed on your Content Deliv­ery Network (CDN). Addi­tion­ally, your origin URL should be updated on your CDN to point to HTTPs rather than HTTP. During this process, Search Discovery recom­mends enabling HTTP/2 simul­ta­ne­ously. But more on that in part 2.

Requirements Checklist for Analytics, Organic, & Paid

In order to success­fully migrate to HTTPs, make sure you do all of the follow­ing:

  • Update all links (hard coded and dynamic) to point to HTTPs
  • Update canon­i­cal tags, alter­nate tags and rel=prev/next tags to point to HTTPs
  • Update any custom JavaScript and AJAX Libraries to HTTPs
  • Add server-side 301 redi­rects from HTTP to HTTPs
  • Update legacy 301 redi­rects to point to their new HTTPs target
  • Ensure that HTTPs is not blocked in the site’s robots.txt file
  • Update all exter­nal plugins to ensure that they are HTTPs compli­ant
  • Update ad code and pixels to support HTTPs
  • Ensure that analyt­ics is config­ured to track HTTPs
  • Update social sharing counts (if applic­a­ble) to count both HTTP and HTTPs or chooses one based on cut-off date
  • Also update social media links to point to HTTPs
  • Develop and submit new HTTPs sitemaps
  • Verify HTTPs site(s) with Google Search Console and Bing Webmas­ter Tools
  • Update any paid search campaigns to avoid redi­rects

Possible Impact on Organic Search

As with any signif­i­cant site change, there is a strong like­li­hood of incur­ring rank fluc­tu­a­tions while search engines re-crawl and re-index your site. This fluc­tu­a­tion can take several weeks to settle, but engag­ing a partner to help provide guide­lines, gover­nance and migra­tion assis­tance can greatly mini­mize visi­bil­ity fluc­tu­a­tions and/or traffic loss.

As a general rule, a medium-sized website can take a few weeks for most pages to move in our index; larger sites can take longer. The speed at which Google­bot and our systems discover and process moved URLs largely depends on the number of URLs and your server speed. Submit­ting a sitemap can help make the discovery process quicker, and it’s fine to move your site in sections. -Google

While secur­ing your website may lead to some increased rank­ings in Google, secur­ing your customer’s data is simply the right thing to do for your brand. Customers trust websites that are secure, and HTTPs will build that trust while also increas­ing conver­sions. Plus, you’ll be making the web a more secure place for every­one in the process.

Now, for part two: HTTP/2 migra­tions! Read on to learn more about how the site speed improve­ments with HTTP/2 can have a major impact on your site traffic and revenue.

Got more ques­tions? Need some help getting your HTTPs migra­tion up and running? Our SEO team has a proven record of seam­lessly migrat­ing sites without sacri­fic­ing search rank­ings. Contact us for more infor­ma­tion!