Why the changeover is often not as easy as expected:
More and more websites are encrypted, which is very positive for the security of user data and we also owe that to the GDPR. Unfortunately, some things can go wrong with an SSL conversion, for example, if the redirects from the non-encrypted to the encrypted version of the page are not set correctly.
Automatic conversion to https by the host can be tricky here. So I almost fell into the trap with my private blog and would have got my problems with my visibility on Google if I hadn’t become suspicious. It’s better to look closer than to risk a drop in the number of visitors.
Easy SSL conversion?
More and more hosters are offering a free SSL certificate, with some providers the switch to https is even done with just one click. I also switched my blog to SSL – with a simple click from the hoster Alfahosting. The free certificate was easily ordered, the desired domain selected and quick! The page was quickly converted to SSL after a few minutes, without having to redirect anything myself.
At first glance there was no evidence of duplicate content, the redirection worked flawlessly and my page was only accessible to me via the secure connection. Very convenient changeover! But how can that be? Does Alfahosting edit my .htaccess here?
Out of interest, I ran my blog through some of our tools. Finally, SEO knows from some painful experience that such an SSL conversion can have a critical impact on visibility.
I was horrified to find that the page is not redirected as it should be via a permanent 301 redirect, but via a 307 redirect. 307, a temporary diversion? Not good at all. In addition, the comment on the redirection for the Screaming Frog tool included: “HSTS Policy”. Never heard of.
In the Google Search Console, where I can test how Google sees the page, I was not shown any redirect. Now the confusion was complete.
307 forwarding and HSTS policy
After doing some research, I was smarter. HSTS is the abbreviation for “HTTP Strict Transport Security” and an important building block for the security of encryption. It makes an unencrypted call impossible and enforces the call over HTTPS. A 307-HSTS redirect does not happen on the server-side like the usual 301 or 302 redirects, but directly from the client, for example, the web browser. This is to prevent attacks on the transmitted data from happening during the server-side redirection from unencrypted to encrypted.
However, and this is critical in terms of search engine optimization, Google does not recognize this redirection. Therefore, you have to create a server-side 301 redirect in the .htaccess for the search engines to ensure that the encryption is also recognized technically correctly. Otherwise, there is a risk of duplicate content since the content for Google can be reached with both HTTP and HTTPS. Duplicate content confuses Google and can cause visibility to suffer. So be on the safe side and only ever offer Google one version of each content, otherwise, in doubt you will find the wrong page or no page at all in the index.
Better to take a closer look at the SSL changeover
An SSL conversion is always associated with thrills anyway, since a lot has to be taken into account when encrypting and forwarding. Even though it seems that it is easy to activate SSL encryption, you should take a closer look. The devil can be in the details and just because the redirect works for the human user doesn’t mean that the search engines recognize the redirects correctly.
Therefore, it is better to check too much how the redirection works. This can be done, for example, in the Search Console with the “call as through Google”. If no forwarding is displayed here, the alarm bells should ring and check whether a server-side redirection is missing.