HTTPS and SSL: The SEO Baseline You Can't Skip
HTTPS has been a Google ranking signal since 2014. Here's what SSL actually does, the mistakes that break it, and how to check your setup is solid.
In August 2014, Google announced HTTPS as a ranking signal. At the time it was described as a lightweight factor — a tiebreaker, not a game-changer. That framing led a lot of site owners to deprioritize it. Twelve years later, every browser flags HTTP sites as "Not Secure," users bounce when they see that warning, and Google has made it clear that secure connections are table stakes for being taken seriously in search.
If your site is still on HTTP, or if you've migrated but have configuration issues underneath, this is one of the most impactful technical fixes you can make today. It's also one of the few where the SEO benefit, the security benefit, and the user trust benefit all point in the same direction.
This post covers what SSL actually does, the most common ways implementations go wrong, and how to verify your setup is solid.
What SSL Actually Does
SSL (and its modern successor TLS) does three things when a user connects to your site:
Encryption. Data transmitted between the browser and your server is encrypted. Without it, anyone on the same network — a coffee shop, an ISP, a malicious proxy — can read the traffic in plain text, including form submissions, login credentials, and session tokens.
Authentication. The SSL certificate proves that the server your browser is talking to is actually the server it claims to be. This prevents man-in-the-middle attacks where traffic is intercepted and modified before it reaches the user.
Data integrity. TLS includes mechanisms that detect if data has been tampered with in transit. Without it, content injection attacks — where your ISP or a network intermediary inserts ads or scripts into your page — are possible.
The certificate itself is issued by a Certificate Authority (CA) that browsers trust. When you visit an HTTPS site, your browser checks that the certificate is valid, hasn't expired, and was issued by a trusted CA. If any of those checks fail, you get a browser warning.
Common SSL Mistakes
Getting HTTPS set up is straightforward. Getting it set up correctly is where most sites fall down.
Mixed Content Warnings
Mixed content happens when an HTTPS page loads resources (images, scripts, stylesheets, iframes) over HTTP. The page itself is served securely, but some of its assets aren't. Browsers block or warn on mixed content, and the padlock icon disappears.
The fix is finding every HTTP reference in your HTML, CSS, and JavaScript and updating it to HTTPS. A quick audit:
# Check for http:// references in your HTML output
curl -s https://yourdomain.com | grep -Eo 'src="http://[^"]+"'
For sites on WordPress or similar CMSs, a search-replace in the database from http://yourdomain.com to https://yourdomain.com handles most of it. Tools like Better Search Replace or WP-CLI make this safe.
Expired Certificates
SSL certificates expire. Standard certificates last 90 days (Let's Encrypt) or 1-2 years (paid CAs). An expired certificate produces a hard browser error that most users won't click through — effectively taking your site offline for them.
The solution is automation. Let's Encrypt with Certbot renews automatically. If you're using a paid cert, put a calendar reminder for 30 days before expiry. Some hosting providers handle this for you; verify that they do.
HTTP Redirects Not Configured
Installing an SSL certificate doesn't automatically redirect HTTP traffic to HTTPS. Both versions of your site can exist simultaneously, which causes duplicate content issues and means users or links hitting the HTTP version don't benefit from the secure connection.
You need a server-level redirect. For Nginx:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://yourdomain.com$request_uri;
}
For Apache, in your .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Use 301 (permanent) redirects, not 302. This passes link equity and tells Google the move is permanent.
Wrong Certificate Type
A certificate issued for yourdomain.com won't cover www.yourdomain.com unless it's a wildcard cert (*.yourdomain.com) or a multi-domain SAN cert that explicitly includes both. Choose your certificate to match how your site is actually accessed.
How Users and Browsers React to HTTP Sites
Chrome, Firefox, and Safari all display a "Not Secure" warning in the address bar for HTTP pages. Chrome goes further — it shows a red warning for HTTP pages that have form inputs, which includes any login form or contact page.
The bounce rate impact is real. Studies consistently show that users who see the "Not Secure" warning are significantly more likely to leave before engaging. For SaaS sites where users need to enter credentials or payment info, running HTTP is functionally a conversion killer.
Beyond user behavior, HTTP-to-HTTPS redirects pass PageRank. If inbound links point to your HTTP URL and you're not redirecting, you're leaking link equity on every backlink you've earned.
Free vs. Paid SSL Options
Let's Encrypt is free, automated, and trusted by all major browsers. For the vast majority of sites — blogs, SaaS tools, portfolios, directories — it's the right choice. Certbot handles installation and auto-renewal on most Linux servers.
Paid certificates make sense when you need extended validation (EV) — the type that displays your organization name in some browsers — or when you need a wildcard cert for many subdomains and your host doesn't support Let's Encrypt automation. Providers include DigiCert, Sectigo, and GlobalSign. Prices range from $50-$300/year depending on type.
For most indie makers and SaaS founders, Let's Encrypt is sufficient.
How to Check Your SSL Setup
Two tools are worth bookmarking:
SSL Labs (ssllabs.com/ssltest): Runs a full analysis of your SSL configuration, including certificate validity, protocol support, cipher suites, and common vulnerabilities. Aim for an A or A+ rating. The report will call out specific issues if your configuration is weak.
Browser DevTools: Open the Network tab, reload your page, and look for any resources flagged as blocked or loading over HTTP. The Security tab in Chrome DevTools shows certificate details and flags mixed content specifically.
A quick command-line check for certificate expiry:
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
This returns the notBefore and notAfter dates for your certificate. If notAfter is within 30 days, renew now.
SSL as a Trust Signal in Directories
SSL status is visible beyond just your own site. BacklinkLog checks and displays SSL status on every listing in the directory. When a founder or developer is browsing tools and comparing options, a listing flagged as lacking HTTPS is an immediate credibility hit — it signals that the product's technical hygiene may be lacking elsewhere too.
If you're getting your product listed on BacklinkLog or similar directories to build backlinks and organic visibility, make sure your SSL is clean before you submit. A listing with a broken certificate or mixed content warning undermines the trust signal the directory listing is supposed to provide in the first place.
Get the technical baseline right, then build on top of it. HTTPS is the floor, not the ceiling.
Ready to Get Your Product Discovered?
List your website on BacklinkLog and reach the right audience through our curated directory.
View Plans