Skip to main content
Back to blog

SEO Gaj: Step 7: Sekuriti — Ol Fastaem Google I Expectem Long 2026

·12 min read·by LANGR SEO

SEO Gaj: Step 7: Sekuriti

Hao Step 7 long the 13-Step SEO Gaj. Sekuriti no blong protectem ol yusers layt we i reli impak long yu ol searj ranking. Google i bin yusum HTTPS olsem ranking sigan sines 2014, mo ol ekspektasen i bin jast i go antap.

Most ol saet owners oli tingting long sekuriti olsem wan binary: "Mifala i gat SSL, so mifala i sekur." Long trut, Google i evalyuetem plante ol sekuriti sigan. Ol saet we oli gat stret sekuriti hedas, valid sertifikat, mo no gat mixed content oli go antap long ol saet we i gat jast wan basic SSL sertifikat — olgeta narafala samting i mas long sem.

Gud nius: plante ol sekuriti fixes oli wan taem konfigiresen. Setem wan taem, mo oli protektem yu ol ranking long olgeta taem.

SSL Konfigiresen

SSL (technically TLS) i enkriptim konnekshen bitwin yu server mo ol visitor. Sines 2014, Google i bin konfaimem HTTPS olsem wan ranking sigan. Long 2026, no gat HTTPS i no jast wan ranking isiu — Chrome i markem HTTP saet olsem "No Sekur" long address bar, i brokarem trust blong yusers.

Ol rikwaiemens blong stret SSL:

| Rikwaiement | Wanem | Hao blong Check | |-------------|-----|--------------| | Valid sertifikat | Expired = browser warning = bounceman ol yusers | Checkem expiry date | | Full chain | Inkomplit chains i fail long sam devais | SSL Labs test | | TLS 1.2+ | Ol noldava versions oli gat known vulnerabilities | SSL Labs test | | No SHA-1 | Deprecated, browser oli rejectem | Sertifikat details | | SAN coverage | www mo non-www i mas bol long covarem | Sertifikat details | | Auto-renewal | I preventem expiry disasters | Let’s Encrypt / provider konfig |

SSL scoring:

100% = Valid cert + Full chain + TLS 1.3 + Strong cipher + Auto-renew
  0% = Expired or missing certificate

Ol komon misteks long SSL:

  1. Sertifikat i expire wetem no notis — Setem up monitoring (Step 6) long minim 30 de bifo expiry
  2. Inkomplit sertifikat chain — Server i mas sendem intermediate sertifikat, no jast leafa wan
  3. Mixed content — HTTPS peij i loadem HTTP risors (images, scripts, stylesheets)
  4. Redirect loops — HTTP → HTTPS → HTTP cycles i causedem from misconfigured CDN/proxy
  5. Non-www vs www mismatch — Sertifikat i covarem wan mo no covarem narafala

Quick win: Runem yu domaine long SSL Labs (ssllabs.com/ssltest). Enitaem we i below wan "A" rating i gat actionable issues. Plante hosting providers i fixem ol diswan wetem wan klik.

Sekuriti Hedas

Sekuriti hedas oli HTTP response hedas we i instractem ol browsers hao blong bihev long loading yu saet. Oli preventem olgeta kategori blong ataks — mo ol Google crawlers oli checkem long olgeta.

Ol esensial sekuriti hedas:

Content-Security-Policy (CSP)

CSP i strongest sekuriti heda. I talem ol browsers eksakli wanem risors (scripts, styles, images, fonts) we i oloud blong load long yu peij.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Wanem CSP i preventem:

  • Cross-site scripting (XSS) ataks
  • Data injection ataks
  • Clickjacking (via frame-ancestors)
  • Unauthorized script ekskjusen (cryptominers, ad injectors)

CSP deployment strategy:

  1. Startem wetem Content-Security-Policy-Report-Only (logs violations wetem no blokem)
  2. Monitorim reports for 1-2 wik
  3. Whitelistem legitimate sources
  4. Switch long enforcing mode
  5. Addem report-uri or report-to blong ongoing violation logging

X-Frame-Options

Preventem yu saet blong bi embedem long iframes long narafala domains (clickjacking proteksen).

X-Frame-Options: DENY

O if yu nidim blong alouem same-origin framing:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Preventem ol browsers blong MIME-type sniffing (interpreting files olsem difren types long declarem).

X-Content-Type-Options: nosniff

Dis wan-liner i preventem ataks we wan .jpg file i gat hidden JavaScript we ol browsers i might execute.

Referrer-Policy

Kontrolim hao plante referrer informasen i senem taem ol yusers i klikem ol links from yu saet.

Referrer-Policy: strict-origin-when-cross-origin

Dis i sendem the full URL for same-origin requests mo jast the origin (domain) for cross-origin requests. I balansim anaeliks nid mo privacy.

Permissions-Policy

Kontrolim wech browser features (kamera, microphone, geolocation, etc.) i save yusum long yu saet.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Disabling features we yu no yusum i preventem third-party scripts blong abusim ol.

Heda implementation egzampl (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Heda implementation (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Heda implementation (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Quick win: Addem ol 5 hedas abov long yu server konfig. Dis i tekem 5 minit mo mediateli impuvem yu sekuriti postura long eni scan tool.

HSTS Preload

HTTP Strict Transport Security (HSTS) i talem ol browsers blong alwaes yusum HTTPS for yu domaine — evan bifo taem blong first request. Without HSTS, first visit long yu saet i save yusum HTTP (vulnerable long interception) bifo redirect blong HTTPS i hapen.

HSTS heda:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Ol tri direktiv:

| Direktif | Meaning | |-----------|---------| | max-age=31536000 | Remembarem dis blong 1 yia (long seconds) | | includeSubDomains | Applaem long ol subdomains tu | | preload | Requestem inclusion long browser preload lists |

HSTS preload list:

OlIMITIM HSTS proteksen. Ol browsers i bringem wetem wan built-in list blong domains we i mas alwaes yusum HTTPS. Submitting yu domaine long hstspreload.org i min:

  • First-time visitors i get HTTPS mediateli (no HTTP → HTTPS redirect)
  • I impossible blong ol attacker blong downgrade connections
  • Permanent (hard blong remove wan taim i submit)

Rikwaiemens for HSTS preload:

  1. Valid HTTPS sertifikat
  2. Redirectem ol HTTP long HTTPS (includem ol subdomains)
  3. HSTS heda wetem max-age >= 31536000
  4. HSTS heda i includem includeSubDomains
  5. HSTS heda i includem preload
  6. Ol subdomains i mas suportem HTTPS

Warning: No submit long preload sapos OL SUBDOMAINS i no suportem HTTPS. includeSubDomains direktiv i min any HTTP-only subdomain i save kam inaksesibl.

Quick win: Sapos yu i alredi gat HTTPS long ol subdomains, addem the full HSTS heda mo submit long hstspreload.org. Processing i tekem sam wik be proteksen i permanent.

Vulnebiliti Skaning

Automated vulnebiliti skaning i identifaiem known sekuriti issues long yu stack bifo ol attacker i exploitim ol.

Wanem vulnebiliti skaning i chekem:

  • Outdated software: WordPress, plugins, JavaScript libraries wetem known CVEs
  • Exposed files: .env, .git, wp-config.php, database dumps
  • Informasen leak: Server version hedas, debug mode, stack traces
  • Default credentials: Admin peij widout auth, default passwords
  • Open ports/services: Ol unnecessary services exposed long internet
  • Injection points: Forms widout CSRF proteksen, unvalidated inputs

Ol komon vulnerabilities blong platform:

| Platform | Top Vulnerability | Fix | |----------|-------------------|-----| | WordPress | Outdated plugins | Auto-update + WAF | | Shopify | Third-party app permissions | Auditem ap list quarterly | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Reviewem cache rulz | | Custom | SQL injection | Parameterized queries |

Skaning frequency:

  • Daily: Automated surface scan (SSL, hedas, exposed files)
  • Weekly: Dependency vulnebiliti check (npm audit, WordPress plugin scanner)
  • Monthly: Deep scan wetem authenticated testing
  • Afta evri deploy: Regression check

Quick win: Runem npm audit (Node.js) o checkem yu CMS plugin list for outdated components. Fixem komon/high severity issues mediateli.

Mixed Content

Mixed content i hapen taem wan HTTPS peij i loadem risors (images, scripts, stylesheets, iframes) ova HTTP. Dis i partially brokarem encryption mo i trigarem browser warnings.

Types blong mixed content:

| Type | Severity | Example | Browser Behavior | |------|----------|---------|------------------| | Active | High | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded widem warning |

Active mixed content i blocked blong modern browsers — min yu scripts mo styles jast no save load. Passive mixed content i load be i showem sekuriti warnings.

Finding mixed content:

  1. Openem Chrome DevTools → Console
  2. Lookem for "Mixed Content" warnings
  3. Olso, scanem wetem wan crawler (Screaming Frog, LANGR)

Ol komon mixed content sources:

  • Hardcoded http:// URLs long content (blog posts, product descriptions)
  • Third-party widgets loading HTTP risors
  • Embedded content (YouTube old embeds, social media widgets)
  • CSS background-image widem HTTP URLs
  • Fonts loaded ova HTTP

Fixem mixed content:

<!-- Bad -->
<img src="http://example.com/image.jpg" />

<!-- Good -->
<img src="https://example.com/image.jpg" />

<!-- Best (protocol-relative, adapts to peij protocol) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Openem yu homepage long Chrome, press F12, checkem the Console tab for mixed content warnings. Fixem eni we i appear — ol i direktli visible long Google.

Third-Party Script Risks

Evri external script we yu load i wan potential sekuriti (mo perfomans) liability. Third-party scripts i save:

  • Be compromised (supply chain ataks)
  • Trackem ol yusers widout consent (GDPR violation)
  • Sloum yu saet (render-blocking, network latency)
  • Brokarem functionality (version updates, outages)
  • Injectem unwanted content (ad scripts i go rong)

Auditem yu third-party scripts:

| Script | Necessary? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Ofta yes | Low | Server-side tracking | | Chat widgets | Maybe | Medium | Self-hosted solutions | | Social share buttons | Raerly | Medium | Static share links | | A/B testing | Sometimes | High | Server-side testing | | Retargeting pixels | Business decision | High | First-party data | | Font CDNs | Convenient | Low | Self-host fonts |

Risk mitigation for essential third-party scripts:

  1. Subresource Integrity (SRI): Hash verification i preventem tampered scripts blong load
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Jast alouem scripts from known domains
  2. Sandboxed iframes: Isolate third-party widgets
  3. Regular audits: Quarterly review of ol external risors
  4. Monitoring: Alert long niu external domains i appear long yu peij

Quick win: Listem evri