HTTPS By Default

2 weeks ago, I wrote a blog post suggesting that in 2016, we would see rankings increase for websites that run through HTTPS. Yesterday, we came one step closer to this happening when Google announced that it would now start indexing secure pages by default.

What this means is that if your website can run securely through HTTPS, then Google will rank the HTTPS version of a page and not the non-secure version. It will do this providing that some conditions are met (listed below) and it can detect an identical secure version of a non-secure page.

On the front of it, it seems like Google is trying to make the change so they put as little reliance on webmasters as possible. However, the below list of conditions will mean that Google probably won’t have a blanket success.

• It doesn’t contain insecure dependencies.
• It isn’t blocked from crawling by robots.txt.
• It doesn’t redirect users to or through an insecure HTTP page.
• It doesn’t have a rel=”canonical” link to the HTTP page.
• It doesn’t contain a ‘noindex’ robots meta tag.
• It doesn’t have on-host outlinks to HTTP URLs.
• The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL
• The server has a valid TLS certificate.

But, what if my website already has an SSL certificate?

Providing a website does already have an SSL certificate, there are 3 points for me that will stop Google ranking a lot of secure pages by default:

“It doesn’t contain insecure dependencies.” 

Lots of websites use lots of plugins, that use lots of libraries and external resources. A web page that links to an API or a library that isn’t running HTTPS will not automatically switch to HTTPS. I think a lot of the internet will fall foul of this, which will prevent Google ranking secure pages by default.

“It doesn’t have a rel=”canonical” link to the HTTP page.”

Webmasters have spent a long time putting canonical tags into their websites. If these have been done relative, then there shouldn’t be an issue. However, if it hasn’t, then many pages won’t default to HTTPS.

“The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.”

Like the canonical issues, if the sitemap is relative to the domain, then it should be OK, but i don’t think this will be the case for a lot of websites. Generally. only websites that have intentionally got and linked to HTTPS pages would default to HTTPS which won’t be many.

What does this mean for Webmasters?

This means that most people will still need to put the work into making the change, which is a signal from Google that they are ramping up their efforts and I still think that we will see ranking increases in 2016.

At the moment, Google have not said they are ranking HTTP higher, they are just saying they will index the secure version over a non-secure version by default. This is one reason why website security should be your number one concern and is necessary for all website owners to take note of.