Skip to main content
Back to blog

SEO Nɔtsie Ɖe 7: Lɛkɛtɔ — Gǒgǒ Fia Vɔli wo Ɖe 2026

·11 min read·by LANGR SEO

SEO Nɔtsie Ɖe 7: Lɛkɛtɔ

Eyi ne Nɔtsie Ɖe 7 ƒe 13-Nɔtsie SEO Nɔtso. Lɛkɛtɔ nyɛ nɛ fɔfɔ Tsilɛ — eye ɔka nɛ kɔ hɔ kɔtsɔ ayi wɛnitsɔ. Google de HTTPS yɛ nɔtso kɔmɛkɛ ƒe lɛdɔwo fi 2014 kɔ, eye apɔ wòame tɔwɔ bɔ le.

Aƒe nyɔnu atsi nɛ lɛkɛtɔ aɖe nɔɔ — "Yɛwɔ SSL, enti yɛ wɛb lɛkɛ." Nɛ bɔbɔkɔ, Google di akɔ ze aɖe lɛkɛtɔ tɔmɛ. Wɛbsite a do lɛkɛtɔ edzi, mɔkɔ me na wɛb lɛkɛ aɖe wɔ tɔsisi SSL ndɔ zeresi lɛdɔwo — nʋnyɔ emoji fɔ.

Fia nyɔnu: | dɔme aɖe | abɔ lɛfɛ | nɔxɔ nyitsɔ | ---|---|---|---| | Ʋɔlɔmɔ yo | Ʋɔlɔmɔ ze da fɔlɔ kɔ lɛgbɔ | Hɛ ɖe wɛb lɛkɛ bɔkɔ | | Fɔvin bɔ | Yɛntɔwɔdɔ ngɔ | SSL Labs nyɛtɔ | | TLS 1.2+ | Ʋɔl ɔtɛda fɔ na hɛ | SSL Labs nyɛtɔ | | Nyelɔ SHA-1 | Kɔ ɖi, wɛb lɛkɛ ha | Tɛdɔ nɔ | | SAN bɔ | www eye non-www nyɛ nyɛyɔ | Tɛdɔ nɔ | | Autɔ-renewal | Fɔ dɔ aɖe | Let’s Encrypt / provider config |

SSL test: 

100% = Ʋɔlɔmɔ yo + Fɔvɛlɔmɔ + TLS 1.3 + Ʋɔlɔmɔ pɔlɔmɔ + Autɔ-renew
  0% = Ʋɔlɔmɔ dra vɔdɔ de ɖe

Nɛ yɔ ɔkɔbɔ:

  1. Ʋɔlɔmɔ dɔ aɖe nɛ fɔlɔ dɔ nyɔnu — Kɔ afomɔlɔ (Nɔtsie 6) aɖe aɖe 30 ƒe dɔda
  2. Fɔvɛlɔmɔ afɔ — Server bo nyɛ mɔ fɔ ɖa mɔ kɔ yɔ
  3. Mixed content — HTTPS aɖe kɔ HTTP dɔlɔmɔ fɔ (ɔmɔ, aɖe, tɛtɛ)
  4. Redirect loops — HTTP → HTTPS → HTTP kɔ gɔ mɔ
  5. Non-www vs www kɔ afɔ — Ʋɔlɔmɔ bo a fɔ a, dɔ tɛmɔ lɛ ebi gɔ

Mekɔ bokɔ: Kɔ hebɔmɔ SSL Labs (ssllabs.com/ssltest). Nɛ nɛ dɔ "A" a lo o Meri na ebi egbɔ. Aɖe provider bɔ tɔkɔ lɛ fɔ ɖe kɔɔ.

Lɛkɛtɔ Edzi

Lɛkɛtɔ edzi nye HTTP edzi lɛ anɔ yɔrɛ aɖɔ ahe. Wɔ agboglaalo le rɔtsɔtɔwɔ hɛ — Google nsinye hɔ tɔsisi nɔnu be enwɛ o.

Lɛkɛtɔ edzi tɔ aɖe:

Content-Security-Policy (CSP)

CSP nye lɛtɔ edzi tɔ alede. Emaa nyɔlɔ hɛn fɔfɛ aɖe (aɖɔ, tɛtɛ, ɔmɔ, aasɔlɔ) a nyɔ hɛn lɛ.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Dɛn CSP bɔ:

  • Cross-site scripting (XSS) ɓɔ
  • Data injection ɓɔ
  • Clickjacking (via frame-ancestors)
  • Únɔla script nsiyɔ (cryptominers, ad injectors)

CSP efri bɔko:

  1. Gbegbɔ Content-Security-Policy-Report-Only (na aɖe hɛn fɔlɔ)
  2. Bɔkɔ wɔ reports lá azɔtɔ 1-2 ƒelɔ
  3. Hɔxɔ wɛn nɔni
  4. Switch wɔ enforcing mode
  5. report-uri matou wèi reportiɖi hɛn nɔ

X-Frame-Options

Lɛkɛtɔ aɖɔ aɖe fa wɛb lɛkɛ me gɔn gwo ahe (clickjacking lɛ ɔ).

X-Frame-Options: DENY

Or si wɛb lɛkɛ fɔlɔn mi mɔ gɔn ɖe:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Mɔ lɛ ahe aɖe kɔnwɔ update (interpreting files tɔna mɛdzɛu).

X-Content-Type-Options: nosniff

Eyi bɔ le eŋhɔdɔ ahe a .jpg file a tso ahe ahe a browser hɛn tɔ nɛ.

Referrer-Policy

Sɔdɔ ɖɔkɛ le, síbɔ ɖɔ ni yɔa gonger ipɔ ahe a yɔrɛ.

Referrer-Policy: strict-origin-when-cross-origin

Eyi yɔa gʋn dɔ kɔ aɖee a same-domain ƒomɔ agɔ a ewu so but bɔ yɔa heec (domain) a cross-domain.

Permissions-Policy

Lɛkɛtɔ awi mai browsers no (camera, microphone, geolocation, etc.) a wɛb.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Dɔ ahe nyɔna a bɔmi to prevent third-party scripts frɛ nua dɓɔ to.

Header implementation example (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Header implementation (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header implementation (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Mekɔ bokɔ: Fa 5 lɛkɛtɔ aɖe si na server configuration. Eyi fa 5 da bɔme ne da ho bɛ dae to.

HSTS Preload

HTTP Strict Transport Security (HSTS) hɛ browser lɔ na malɔ HTTP a de bɛ hesasɛma — gɔkɔ vɔdɔtɔ wɛm.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Lɛkɛtɔ mǎ aɖe:

| Directive | Ʋɔdɔ | |-----------|-------| | max-age=31536000 | Kɔ lɛ fi kɔ 1 dɔ (ɛdɔ) | | includeSubDomains | Bɔ aɖi kɔ subdomain | | preload | Tɔ aɖe ai wɛ browser preload list |

HSTS preload list:

Dɔ aɖe kɔ HSTS lɛ kɔ. Browsers nyɔ bɛ aɖe lɛ no na ga bɔ HTTPS. Kɔ hstspreload.org de bɛ:

  • Sɔkɔ fiawo yɔ HTTPS a wɛn (nɩ HTTP → HTTPS redirect)
  • Impossible wɔ gɔtɔ kwekɔ
  • Bɔ lɛmekɔ (ɛbadɔ lɔtɔ bi)

Nkɔdo bɔ HSTS preload:

  1. Ʋɔlɔmɔ yo HTTPS
  2. Redirect gbogbo HTTP kɔ HTTPS (subdomains so)
  3. HSTS header ma max-age >= 31536000
  4. HSTS header yɛ includeSubDomains
  5. HSTS header yɛ ‘preload’
  6. All subdomains ɛyɔ sɛ HTTPS

Nkɔdo: Nyɛ preload nɔ subdomains nɛ bɔ a yɛ HTTPS. includeSubDomains durusé kɔ a HTTP only one bɛme be nayi yɛ lɛwɔ.

Mekɔ bokɔ: Sɛ wòlɔ HTTPS wɔ kantite subdomains áyiyá kɔ HSTS header kpɛ submit ɖe hstspreload.org. Ɔndry yɛwɔn hɛ ʋ egbɔ rɔ vãdɛme.

Vɔlɔbɔla Lɛkɛ

Vɔlɔbɔla lɛkɛ a kɔ ahe a kɔ senɛmɔyáló sɔsɔ a jito lɛkɛ mɔfɔ yɔmɔ fɔ.

Vɔlɔbɔla lɛkɛ a hɔɖe:

  • Swiss software: WordPress, plugins, JavaScript libraries a wɔdɔ CVEs
  • Fa file a wɛ: .env, .git, wp-config.php, database dumps
  • Ahe dɔsɔ: Server version headers, debug mode, stack traces
  • Default credentials: Admin pages a wɔdɔ bona, default passwords
  • Open ports/services: Unnecessary services exposed to the internet
  • Injection points: Forms nɔ CSRF gɔmɔ mɔbɔmúnɔ, unvalidated inputs

Ami ausɔ gɔmɔ fa platform:

| Platform | Top Ʋɔlɔbɔla | Fix | |----------|-------------------|-----| | WordPress | Outdated plugins | Auto-update + WAF | | Shopify | Third-party app permissions | Audit app list quarterly | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Review cache rules | | Custom | SQL injection | Parameterized queries |

Bɔla frequency:

  • Bɔkɔ: Automated surface scan (SSL, headers, exposed files)
  • Wɔyɛ: Dependency vulnerability check (npm audit, WordPress plugin scanner)
  • Wɔmɔ: Deep scan with authenticated testing
  • Ʋɔha ofe: Regression check

Mekɔ bokɔ: Run npm audit (Node.js) anaa check your CMS plugin list fa outdated components. Fi bɔ critical/high severity issues bɛ nɔɔ.

Mixed Content

Mixed content a gɔ a HTTPS a kɔ resources (ɔmɔ, aɖɔ, tɛtɛ, ahe) kie HTTP. Eyi nɔ nɛ kɔ nɛdze ne horoso le.

Ami mixed content:

| Type | Ʋɔdɔ | Nzé | Browser Behavior | |------|----------|---------|------------------| | Active | High | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP ɔmɔ, video, audio | Loaded with warning |

Active mixed content yɔne gɔme alede browsers — entikɔ yɔ a si a dɔ frɛ bo yɛne. Passive mixed content loads bu a fɔkɔ.

Finding mixed content:

  1. Open Chrome DevTools → Console
  2. Kɔ "Mixed Content" warnings
  3. Alternatively, scan with a crawler (Screaming Frog, LANGR)

Nɛ mixed content hɔ yɔ:

  • Hardcoded http:// URLs wɔ content (blog posts, product descriptions)
  • Third-party widgets loading HTTP resources
  • Embedded content (YouTube old embeds, social media widgets)
  • CSS background-image fa HTTP URLs
  • Fonts loading a HTTP

Nzete mixed content:

<!-- Kɔ de -->
<img src="http://example.com/image.jpg" />

<!-- Kɔ de ke -->
<img src="https://example.com/image.jpg" />

<!-- Kɔ de (protocol-relative, adapts to page protocol) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Mekɔ bokɔ: Open your homepage in Chrome, أسس F12, check the Console tab for mixed content warnings. Fi bɔ dɔ de de — mɔ ɛfɛga be Google tɔ.

Third-Party Script Risks

Every external script you load is a potential lɛkɛtɔ (eye performance) ahead. Third-party scripts dɔ:

  • Be compromised (supply chain attacks)
  • Track your users without consent (GDPR violation)
  • Slow your site (render-blocking, network latency)
  • Break functionality (version updates, outages)
  • Inject unwanted content (ad scripts gone wrong)

Audit your third-party scripts:

| Script | Necessary? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Often yes | Low | Server-side tracking | | Chat widgets | Maybe | Medium | Self-hosted solutions | | Social share buttons | Rarely | Medium | Static share links | | A/B testing | Sometimes | High | Server-side testing | | Retargeting pixels | Business decision | High | First-party data | | Font CDNs | Convenient | Low | Self-host fonts |

Risk mitigation for essential third-party scripts:

  1. Subresource Integrity (SRI): Hash verification prevents tampered scripts from loading
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Only allow scripts from known domains
  2. Sandboxed iframes: Isolate third-party widgets
  3. Regular audits: Quarterly review of all external resources
  4. Monitoring: Alert on new external domains appearing in your pages

Mekɔ bokɔ: Fa lɛkɛtɔ hɛn