Skip to main content
Back to blog

SEO Aratohu Taahira 7: Te Haumaru — Te Tūāpapa Ka Whaihia e Google i te 2026

·16 min read·by LANGR SEO

SEO Aratohu Taahira 7: Te Haumaru

Ko tēnei te Taahira 7 o te 13-Takahanga SEO Aratohu. Kāore te haumaru i te mea mō te tiaki i ngā kaiwhakamahi anake — e pā ana tēnei ki tō tīmata pānga. Kua whakamahia e Google te HTTPS hei tohu rangatū mai i te 2014, ā, kua piki anō ngā whakaritenga.

Ka whakaaro te nuinga o ngā rangatira paetukutuku mo te haumaru hei mea pooti: "Kua whai SSL mātou, nō reira kei te haumaru mātou." I te mea pono, ka aromatawai a Google i ngā tohu haumaru e pātea ana. Ko ngā paetukutuku me ngā pātea haumaru tika, ngā tiwhikete tika, me te kore kōrero whakakākahu e piki ake te noho i ngā paetukutuku me tētahi tiwhikete SSL mātāmua — kāore e hē.

Ko te rongo pai: ko ngā whakatika haumaru te nuinga o ngā whakaritenga kotahi. Whakaritehia rātou ki te wā kotahi, ā, ka tiaki rātou i ngā riterite mō ngā wā katoa.

Whakarite SSL

Ko te SSL (te tikanga, ko te TLS) e whakawhānui ana i te hononga i waenga i tō tūmau me ngā manuhiri. Mai i te tau 2014, kua whakakaputahia e Google te HTTPS hei tohu rangatū. I te tau 2026, kāore he HTTPS he raru rangatū anake — ka tohu te Chrome i ngā paetukutuku HTTP hei "Kāore i te Haumaru" i te pae wāhitau, kāore e taea e ngā kaiwhakamahi te whakawhirinaki.

Ngā whakaritenga mō te SSL tika:

| Whakaritenga | He aha | Me pēhea te Tirotiro | |--------------|-------|---------------------| | Tiwhikete tika | Taka = pāti whakatū | Tirohia te rā whakakore | | Kōrero katoa | Ko ngā kōpae kahore e mōhiohia i ētahi taputapu | Tirohia te whakamātautau SSL Labs | | TLS 1.2+ | Ko ngā putanga tawhito e mōhiotia ana he ngoikore | Tirohia te whakamātautau SSL Labs | | Kāore he SHA-1 | Kua whakahē, ka whakakorehia e ngā pāti | Ngā kiko tiwhikete | | Kōpae SAN | Me kapi te www me te kore-www | Ngā kiko tiwhikete | | Whakarite aunoa | Ka ārai i ngā raru whakakore | Whakarite Let's Encrypt / kaiwhakarato |

Whakataurite SSL:

100% = Tiwhikete tika + Kōrero katoa + TLS 1.3 + Tūtohu kaha + Whakarite aunoa
  0% = Taka, kāore he tiwhikete

Ngā hapa me ngā whakamāramatanga SS:

  1. Ka taka te tiwhikete kāore he whakatū — Whakaritehia te whakahaere (Taahira 6) i te iti 30 rā i mua i te takenga
  2. Kōpae tiwhikete pūranga — Me tuku e te tūmau ngā tiwhikete waenganui, kāore anake te rau
  3. Kōrero whakakākahu — Te whārangi HTTPS e utaina ana i ngā rauemi HTTP (ngā whakaahua, ngā tuhinga, ngā kāhua)
  4. Rerekētanga i ngā kōpae — HTTP → HTTPS → HTTP e pātea ana e ngā CDN / proxy kāore i te whakaritea pai
  5. He rerekē i waenga i te www me te kore-www — Kapi te tiwhikete i tētahi, kāore i tētahi atu

Rongo pai: Tārerehia tō rohe i te SSL Labs (ssllabs.com/ssltest). Ko te mea e mākū ana i raro i te "A" kua nui ngā raru e taea te whakatika. Ka taea e te nuinga o ngā kaiwhakarato tautoko te whakatika i ēnei me te pātea kotahi.

Ngā Pātea Haumaru

Ko ngā pātea haumaru he pātea whakahoki HTTP e whakahau ana i ngā pāti ki te hanga i te paetukutuku. Ka aukati rātou i ngā kāwai katoa o ngā whakaekenga — ā, ka tirohia e ngā pūkoro a Google.

Ngā pātea haumaru tino nui:

Content-Security-Policy (CSP)

Ko te CSP te pātea haumaru tino whai mana. Ka kōrero ia ki ngā pāti mēnā he rauemi (ngā tuhinga, ngā kāhua, ngā whakaahua, ngā pūtake) e ahei ana ki te utaina i āu whārangi.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Ka ārai a CSP i:

  • Ngā whakaekenga cross-site scripting (XSS)
  • Ngā whakaekenga whakauru kōrero
  • Clickjacking (nā te frame-ancestors)
  • Te whakakī i ngā tūtohu kāore i whakaaetia (cryptominers, kāri whakauru)

Rautaki Tūtohatanga CSP:

  1. Tīmatahia ki te Content-Security-Policy-Report-Only (kaihātepe hē mō te tāwharongo)
  2. Tirohia ngā pūrongo mō te 1-2 wiki
  3. Tūtohatia ngā pūtake whai mana
  4. Tūtohatia ki te āhuatanga ka kōwhiria
  5. Tāpiri report-uri rānei report-to mō te rekoata hē e noho tonu ana

X-Frame-Options

Ka aukati i tō paetukutuku mai i te whakauru ki ngā iframe i runga i ētahi atu rāngai (ka whakatū te parepare ki te clickjacking).

X-Frame-Options: DENY

Inā he hiahia ki te whakaae i te rahinga mō te tuhinga:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ka aukati i ngā pāti mai i te sniffing i ngā momo MIME (te whakamāori i ngā kōnae hei rerekē i te whakau e waihangatia ana).

X-Content-Type-Options: nosniff

Ka ārai tēnei tawhā i ngā whakaekenga kāore e taea te kitea i roto i tētahi kōnae .jpg kei roto tōna JavaScript huna ka taea te whakahaere e te pāti.

Referrer-Policy

Ka whakahaerehia te nui o ngā pārongo referrer e tukuna ana i te wā i te pāti i te paetukutuku.

Referrer-Policy: strict-origin-when-cross-origin

Ka tukuna tēnei te URL katoa mō ngā tono ka tango mai i te paetukutuku, kāore anake te take (rāngai) mō ngā tono rerekē. Ka tohatohatia ngā hiahia tātaritanga me te pūreke.

Permissions-Policy

Ka whakahaerehia ngā āhuatanga pāti (kamera, pūkoro, te kairangi, etc.) ka taea te whakamahi i runga i tō paetukutuku.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ka aukati i ngā āhuatanga kāore e whakamahia, ka ārai i ngā tuhinga tuatoru mai i te whakamahi i a rātou.

Whakaritenga i te pātea tono (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Whakaritenga pātea (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Whakaritenga pātea (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Rongo pai: Tāpiri ngā pātea e 5 kei runga i tō whirihoranga tūmau. Ka tango tēnei i ngā meneti 5, ā, ka whakapai ā-tai ki tō tiaki i etahi taputapu tarai.

HSTS Preload

Ko te HTTP Strict Transport Security (HSTS) e kōrero ana ki ngā pāti ki te whakamahi i te HTTPS mo tō rāngai — nōna i te timatanga o te tono. Kāore he HSTS, te toro tuatahi ki tō paetukutuku kāore pea e whakamahi i te HTTP (nōnui ki te whakauru) i mua i te whakawhirinaki ki te HTTPS.

Pātea HSTS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Ngā tino whakamōhio e toru:

| Tino Whakamōhio | Pūtake | |------------------|--------| | max-age=31536000 | Mahara tēnei mō te 1 tau (i ngā hēkona) | | includeSubDomains | Tūtohatia ki ngā subdomains katoa | | preload | Tono ki te whakauru ki ngā rārangi preload pāti |

Rārangi preload HSTS:

Ko te whakatakanga HSTS mutunga kore. Ka kawea te pāti ki te rārangi pāti rōrahi e whakamahi ana i te HTTPS. Ka tono hei whakauru i tō rāngai ki hstspreload.org:

  • Ka pēnā ngā manuhiri tuatahi ki te whakawhirinaki i te HTTPS i ngā wā katoa (kāore he HTTP → HTTPS te whakawhirinaki)
  • Kāore e taea e ngā kaiwhakaekenga te whakaiti i ngā hononga
  • Tūtohe i te take (ka māmā ki te tango i te wā i tukuna)

Ngā whakaritenga mō te HSTS preload:

  1. Ko te tiwhikete HTTPS tika
  2. Ka whakawhirinaki te katoa o te HTTP ki te HTTPS (me ngā subdomains)
  3. Pātea HSTS me max-age >= 31536000
  4. Pātea HSTS me includeSubDomains
  5. Pātea HSTS me preload
  6. Kua mana te hau o ngā subdomains ki te HTTPS

Whakawātea: Whakaritehia tērā ko ngā subdomains katoa e tautoko ana i te HTTPS. Ko te tino includeSubDomains e pā ana ki ngā subdomains HTTP anake ka kore e taea.

Rongo pai: Ki te whai HTTPS i ngā subdomains katoa, tāpirihia te pātea HSTS katoa ka tono ki hstspreload.org. Ka tango te whakarite i ngā wiki e rua, engari ko te tiaki he mutunga.

Tirohanga Tūāpapa

Ko te tirohanga ngoikore ka kāore e taea te whakamōhio i ngā raru haumaru e mōhiotia ana i tō kete i mua i te tāhautanga o ngā whakaekenga.

Kei te tirohia e te tirohanga ngoikore:

  • Te pū software koroheke: WordPress, ngā tāpiritanga, ngā Whakapānga JavaScript e mōhiotia ana ngā CVE
  • Ngā kōnae e tuwhera ana: .env, .git, wp-config.php, ngā pehanga raraunga
  • Te koroheketanga o ngā pārongo: Ngā pākeha o te tūmau, te āhua i te rārangi, ngā āhuatanga
  • Ngā tohu pouaka: Ngā whārangi kāinga kāore e whai whakamanatanga, ngā kupu pēke-kōrero
  • Ngā taurite tuwhera/ratonga: Ngā ratonga e pā ana ki te paetukutuku
  • Ngā taurite whakauru: Ngā pātai kāore i whāinga te CSRF, ngā kōrero kāore i whakaū

Ngā ngoikore i te ipurangi:

| Pātai | Tōpūtanga | Whakatikatika | |-------|-----------|---------------| | WordPress | Ngā tāpiritanga koroheke | Whakarite aunoa + WAF | | Shopify | Ngā manatāwhiti tono tuatoru | Tirotiro i te rārangi tono ia rautau | | Next.js | Ngā rārangi API e tuwhera ana | Auth middleware + te popo rīhi | | Tūtohinga Static | Whakarite CDN | Tirohia ngā ture whakapā | | Kōwae | Te whakaeke SQL | Ngā tono rārangi |

Te whakapā e pā ana:

  • I ia rā: Te tirohanga ōhanga aunoatanga (SSL, pātea, kōnae e tuwhera ana)
  • I ia wiki: Tirohanga ngoikore whakawhitinga (npm audit, screener WordPress plugin)
  • I ia marama: Te tirohanga hohonu me te whakamātautau whakamanatanga
  • Kia mau ki te pānungatanga: Te tirohanga tautuhinga

Rongo pai: Tārerehia npm audit (Node.js) rānei tirohia te rārangi tāpiri CMS mō ngā pokanga koroheke. Whakatikaina ngā raru nui/nui ki tenei wa.

Kōrero Whakakāhuri

Kei te pā anō te kōrero whakakāhuri i te wā e utaina ana te whārangi HTTPS i ngā rauemi (ngā whakaahua, ngā tuhinga, ngā kāhua, ngā iframe) i runga i te HTTP. Ka pakaru tēnei i te rārangi ārai ka whakaoho i ngā pāti.

Ngā momo kōrero whakakāhuri:

| Momo | Te pānga | Tauira | Ngā Waihanga Pāti | |------|----------|--------|-------------------| | Active | Teitei | HTTP tuhinga, iframe, CSS | Ka aukati i runga i te paerewa | | Passive | Teitei | HTTP whakaahua, ataata, oro | Kua utaina ki te pāti ki te huihuinga |

Ka aukati ngā kōrero whakakāhuri i te wā e tü ana ngā pāti — e mea ana mā ngā tuhinga me ngā kāhua kāore pea. Ka utaina ngā kōrero whakakāhuri engari ka whakaatu i ngā whakaoho haumaru.

Te kimi i ngā kōrero whakakāhuri:

  1. Whakatuwhera ngā Chrome DevTools → Console
  2. Tirohia mō ngā pāti "Mixed Content"
  3. I tetahi atu, tārerehia ki tētahi kāinga (Screaming Frog, LANGR)

Ngā pūtake kōrero whakakāhuri e pā ana:

  • He mea kikokiko i te http:// i roto i ngā mea (ngā blog, ngā whakamārama o ngā hua)
  • Ngā whakatūpuna tuatoru e utaina ana i ngā rauemi HTTP
  • Ngā kōrero kua tāpiri (ngā tāpiri tawhito o YouTube, ngā widget pāpāho pāpori)
  • CSS background-image me ngā URL HTTP
  • Ngā pūtake e utaina ana ki te HTTP

Te whakatikatika i ngā kōrero whakakāhuri:

<!-- Ko te mea kino -->
<img src="http://example.com/image.jpg" />

<!-- Ko te mea pai -->
<img src="https://example.com/image.jpg" />

<!-- Ko te mea teitei (tūtohi-mōhio, e pā ana ki te whakaritenga o te whārangi) -->
<img src="//example.com/image.jpg" />

Te whakatika i te rārangi (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Rongo pai: Whakatuwhera tō whārangi kāinga i te Chrome, pāwhiri i te F12, me te tirotiro i te Kaute mō ngā pāti kōrero whakakāhuri. Whakaritehia ngā mea katoa e noho ana — ka kitea e Google.

Ngā Tūāhua Tuatoru

Ko ia anake i taea e ngā rārangi e utaina ana i tētahi āhuatanga mō te raru (me te ngā aratau e pā ana ki te mahi) tetahi whakawhirinaki. Ka taea e ngā tuatoru:

  • Ka puta ki te mōhio ki ngā kāwai (ngā whakaekenga rārangi)
  • Ka whai kī mō ngā kaiwhakamahi kāore i te whakaaetia (rārangi GDPR)
  • Ka pahemo i tō paetukutuku (e pā ana ki ngā paeti)
  • Te kirimana i ngā āhuatanga kāore e whiwhi ana (ngā whakahou kōwae, ngā wā whakawhirinaki)
  • Te whakatakoto i ngā āhuatanga kāore mō te whakamahi (ngā tuhinga kua rerekē)

Tirohia ngā tuāhua tuatoru:

| Tūāhua | He mea nui? | Te pānga | Rāngai | |--------|-----------|-----------|--------| | Google Analytics | Aroha mai | He iti | Te rārangi i te taha tūmau | | Ngā whitiki kōrero | Tēnā pea | He teitei | Ngā rongo whakauru | | Ngā pātene kōwhiringa pāpori | Tēnei noa | He whānga | Ngā hononga whakauru | | A/B Testing | Ā, kāore pea | He teitei | Te whakamātautau i runga i te taha tūmau | | Pūtohu Pūkete | Whakautu ki te take | He teitei | Ngā pārongo tuatoru| | Ngā CDN rārangi | Hei whakatikatika | He iti | Ngā pūtake whakauru |

Te whakaū i ngā hua e pā ana ki ngā pūtake tuatoru:

  1. Te Whakamārama Pūranga (SRI): Ka ārai i ngā pāti e whai pānga ana mai i te tango i ngā tuhinga kua whakakōahoahia.
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Ngā whakakoronga CSP: Me rōkoā i ngā pūtake anake mai i ngā rāngai e mōhio ana
  2. Ngā iframe e rōrohia: Te tiaki i ngā whitiki tuatoru
  3. Ngā whakamātautau tonu: Tirotirohia ia rautau te pāti katoa
  4. Te tirotiro: Tautoko i te pāti āpitihanga tuatoru hōu ki ngā whārangi

Rongo pai: Tuhia katoa ngā