HTTP to HTTPS Migration: Redirects, Mixed Content, HSTS
HTTP to HTTPS Migration: Redirects, Mixed Content, HSTS
SSL/TLS проверку stopped being optional back in 2018 when Chrome flagged HTTP sites as "Not Secure" and Google made HTTPS a ranking signal. Migrating sounds trivial (install cert → redirect), yet 30% of projects lose traffic because of mixed content, wrong canonical tags, or forgotten subdomains. Here is a step-by-step plan that preserves SEO and maximises security.
Step 1. Certificate
Free option — Let's Encrypt via certbot or acme.sh. Paid (EV, unlimited wildcards) — DigiCert, Sectigo. certbot one-liner:
certbot --nginx -d example.com -d www.example.com --redirect --hsts --staple-ocsp--redirect installs the 301, --hsts adds the header, --staple-ocsp enables OCSP stapling.
Step 2. 301 redirect HTTP → HTTPS
nginx:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]Use 301 (permanent) — 302 does not pass link equity. Verify with curl -I http://example.com.
Step 3. Mixed content
Mixed content occurs when an HTTPS page loads HTTP resources (scripts, CSS, images). Chrome blocks active content (JS, CSS) and warns on passive (img). Fix:
<!-- Bad -->
<img src="http://cdn.example.com/logo.png">
<script src="http://widgets.example.com/w.js"></script>
<!-- Good -->
<img src="https://cdn.example.com/logo.png">
<!-- or protocol-relative -->
<img src="//cdn.example.com/logo.png">Automatic fix — Content-Security-Policy: upgrade-insecure-requests or block-all-mixed-content.
Step 4. HSTS
After a week of stable HTTPS enable HSTS:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadHold off on preload until every subdomain is HTTPS — rollback is painful. More in HTTP Security Headers.
Step 5. Canonical and Open Graph
Rewrite canonicals from http to https in every <link rel="canonical">, OG tag, sitemap.xml, robots.txt and CMS-driven 301.
Step 6. Google Search Console
HTTPS is a new GSC property. Register https://example.com separately, submit the sitemap, verify coverage after 1–2 weeks.
Step 7. Databases and internal links
SQL rewrite of links in posts:
UPDATE posts SET content = REPLACE(content, 'http://example.com', 'https://example.com');
UPDATE postmeta SET meta_value = REPLACE(meta_value, 'http://example.com', 'https://example.com');WordPress: Better Search Replace. Drupal: `drush search-replace`.
Verification
- SSL Labs (ssllabs.com) — target grade A/A+
- Chrome DevTools → Console → watch for "Mixed Content" warnings
- enterno.io SSL Checker — expiry, chain, protocols
- Screaming Frog or curl — catch leftover HTTP links
FAQ
Will I lose SEO rankings? Not if 301s, HSTS and sitemap are correct. Google passes all equity through 301 and often rewards HTTPS.
What about a third-party script without HTTPS? Proxy it through your nginx with SSL or drop the dependency. Modern browsers block mixed content.
Do static blogs need HTTPS? Yes. ISPs inject ads into HTTP, there is no integrity guarantee, Chrome marks HTTP as Not Secure.
What about subdomains? Each needs its own cert (or a wildcard *.example.com). HSTS with includeSubDomains requires coverage everywhere.
Conclusion
Playbook: certbot → 301 → fix mixed content → HSTS → update canonicals → register HTTPS property in GSC. Add SSL monitoring and validate via the Security Scanner. Related: HTTP Security Headers, Cookie Security.
Check your website right now
Check now →