Skip to main content
Back to blog

Hagaha SEO Talaabada 7: Amniga — Aasaaska Google uu filayo sanadka 2026

·13 min read·by LANGR SEO

Hagaha SEO Talaabada 7: Amniga

Tani waa Talaabada 7 ee Hagaha SEO 13-Tallaabo. Amniga ma ahan oo kaliya ilaalinta isticmaaleyaasha — waxa uu si toos ah u saameeyaa darajooyinkaaga raadinta. Google wuxuu tan iyo 2014 isticmaalaa HTTPS sida calaamad darajo ah, filashada ayaa si joogto ah u kordhaysay.

Inta badan milkiilayaasha goobaha waxay u arkaan amniga inay yihiin laba-geesood: "Waxaan haynaa SSL, sidaas darteed waxaan nahay kuwo ammaan ah." Dhab ahaan, Google waxay qiimeysaa toban-toban calaamadaha amniga. Goobaha leh cinwaanno amni oo sax ah, shahaadooyin sax ah, iyo maadooyin aan isku dhafaneyn ayaa ka sarreeya goobaha leh shahaadada SSL aasaasiga ah — dhammaan kale iska eg.

Warka wanaagsan: badankood hagaajinta amniga waa qaabeyn hal mar ah. U dejiso mar mar ah, waana ay ilaalin doonaan darajooyinkaaga si joogto ah.

Qaabeynta SSL

SSL (tani waa TLS) waxay sirta ku ilaalisaa xiriirka u dhexeeya server-kaaga iyo booqdayaasha. Tan iyo 2014, Google waxay si cad u xaqiijisay HTTPS sida calaamad darajo ah. Sanadka 2026, aan helin HTTPS maahan keliya arrin darajo — Chrome wuxuu calaamadeeyaa goobaha HTTP sida "Aan Ammaan ahayn" ee barta cinwaanka, oo burburinaya kalsoonida isticmaalaha.

Shuruudaha saxda ah ee SSL:

| Shuruud | Maxay Tahay | Sida loo Hubiyo | |---------|-------------|-----------------| | Shahaado sax ah | Dhacday = digniin browser = isticmaalayaasha ka tagay | Hubi taariikhda dhicitaanka | | Silsilad dhammaystiran | Silsiladaha aan dhamaystirnayn waxay ku fashilmaan qalabyo qaar | Tijaabada SSL Labs | | TLS 1.2+ | Noocyada hore waxay leeyihiin daciifnimo la ogyahay | Tijaabada SSL Labs | | Maya SHA-1 | La joojiyey, browsers-ka ayaa diida | Faahfaahinta shahaadada | | Coverage SAN | www iyo non-www labaduba waa inay dabooshaan | Faahfaahinta shahaadada | | Aut-renewal | Ka hortagga musiibooyinka dhicitaanka | Let's Encrypt / qaabeynta adeeg bixiyaha |

Dhibcaha SSL:

100% = Shahaado sax ah + Silsilad dhammaystiran + TLS 1.3 + Cipher xooggan + Auto-renew
  0% = Shahaado dhacday ama maqan

Khaladaadka caadiga ah ee SSL:

  1. Shahaadada dhacday iyada oo aan ogeysiis la siisay — Samee kormeer (Tallaabada 6) ugu yaraan 30 maalmood kahor dhicitaanka
  2. Silsilad shahaado la'aan ah — Server-ka wuxuu u baahan yahay inuu diro shahaadooyinka dhexe, kaliya ma ahan caleenta
  3. Maadada isku dhafan — Bogga HTTPS wuxuu dajisaa ilo HTTP (sawirada, scripts, stylesheets)
  4. Wareegyada jeediya — HTTP → HTTPS → HTTP oo la sababay qaabeynta khaldan ee CDN/proxy
  5. Khalad u dhexeeya non-www vs www — Shahaadada waxay dabooshaa mid laakiin ma daboosho kan kale

Guul degdeg ah: Ku qor domain-kaaga SSL Labs (ssllabs.com/ssltest). Wax kasta oo ka hooseeya qaddarka "A" waxay leeyihiin dhibaatooyin la shaqeyn karo. Badankood bixiyeyaasha martigelinta waxay ku hagaajiyaan hal guji.

Cinwaannada Amniga

Cinwaannada amniga waa cinwaannada jawaabta HTTP ee tilmaamaya browsers-ka sida loo shaqeeyo marka la rarayo goobtaada. Waxay ka hortagayaan dhammaan noocyada weerarada — waxayna crawlers-ka Google ka raadiyaan.

Cinwaannada amniga ayaa ah kuwo muhiim ah:

Content-Security-Policy (CSP)

CSP waa cinwaanka amniga ugu awoodda badan. Waxay tilmaamaysaa browsers-ka dhab ahaan ilaha (scripts, styles, sawirro, farta) ee la oggol yahay in lagu soo raro bogaggaaga.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

CSP waxay ka hortagtaa:

  • Weerarrada Cross-site scripting (XSS)
  • Weerarrada data gelinta
  • Clickjacking (iya frame-ancestors)
  • Fulinta scripts aan la oggolaan (cryptominers, ad injectors)

Istaraatiijiyadda hirgelinta CSP:

  1. Ku bilow Content-Security-Policy-Report-Only (hubi xad-gudubyada adoon xirin)
  2. Kormeer warbixinaha 1-2 toddobaad
  3. White-list ilaha saxda ah
  4. U guur dhiga wakhti degdeg ah
  5. Ku dar report-uri ama report-to si loo diiwaan geliyo xad-gudubyada socda

X-Frame-Options

Ka hortagaya goobtaada in lagu daro iframes-ka domains kale (ilaalinta clickjacking).

X-Frame-Options: DENY

Ama haddii aad u baahan tahay inaad oggolaato qaabeynta isku mid ah:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ka hortagayaa browsers-ka inay dhadhamiyaan nooca MIME (u turjumaan faylasha inay yihiin noocyo ka duwan kuwii la shaaciyey).

X-Content-Type-Options: nosniff

Tani hal-liner waxay ka hortagtaa weerarada halka faylka .jpg uu ku jiro JavaScript qarsoon oo browser-ku laga yaabo inuu fuliyo.

Referrer-Policy

Xakameeya inta badan macluumaadka tixraaca ee la diro marka isticmaaleyaashu gujiyaan xiriiriyeyaasha ka yimaada goobtaada.

Referrer-Policy: strict-origin-when-cross-origin

Tani waxay u diraysaa URL-ka oo dhan codsiyada isku mid ah laakiin kaliya asal (domain) codsiyada ka baxsan. Waxay isu dheeli tirtaa baahiyaha falanqaynta iyo arrimaha asturnaanta.

Permissions-Policy

Xakameeya astaamaha browser-ka (kaamirada, makarafoonka, geolocation, iwm.) oo loo adeegsan karo goobtaada.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Daboolka astaamaha aadan isticmaalin waxay ka hortagaysaa scripts-ka dhinac saddexaad labadaba.

Tusaalaha hirgelinta cinwaanka (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Hirgelinta cinwaanka (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Hirgelinta cinwaanka (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Guul degdeg ah: Ku dar dhammaan 5-da cinwaan kor ku xusan qaabeynta server-kaaga. Tani waxay qaadaneysaa 5 daqiiqo waxayna si degdeg ah u hagaajinaysaa tayada amnigaaga aalad kasta.

HSTS Preload

HTTP Strict Transport Security (HSTS) wuxuu u sheegayaa browsers-ka inay had iyo jeer isticmaalaan HTTPS domain-kaaga — xitaa ka hor dhigista ugu horreysa. Iyadoo aan HSTS, booqashada ugu horreysa ee goobtaada waxay weli isticmaali kartaa HTTP (u nugul in la jabsado) ka hor intaan dib loogu dhigin HTTPS.

HSTS cinwaan:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Saddexda tilmaamood:

| Tilmaam | Micnaha | |---------|---------| | max-age=31536000 | Xasuuso tan hal sano (ilaa seconds) | | includeSubDomains | Ku dabaq dhammaan subdomains-kana | | preload | Codso ka mid noqoshada liisaska preload browser-ka |

Liiska HSTS preload:

Iyada oo ah difaac HSTS ugu dambeeya. Browsers-ka waxay la keenaan liis dhisan oo domains ah oo had iyo jeer isticmaali kara HTTPS. Marka aad soo dirto domain-kaaga hstspreload.org waxay ka dhigan tahay:

  • Booqdayaasha markii ugu horreysay waxay helaan HTTPS si toos ah (eeg HTTP → HTTPS dib u dhigid)
  • Khatar ma jirto in weeraryahannadu ay hoos udhigeen xiriirka
  • Joogto ah (way adag tahay in laga saaro kadib marka la soo gudbiyo)

Shuruudaha HSTS preload:

  1. Shahaado HTTPS sax ah
  2. Dhammaan HTTP-ka si joogto ah u dhigo HTTPS (oo ay kujirto subdomains)
  3. HSTS cinwaanka oo leh max-age >= 31536000
  4. HSTS cinwaanka waxaa ku jira includeSubDomains
  5. HSTS cinwaanka waxaa ku jira preload
  6. Dhammaan subdomains waa inay taageeraan HTTPS

Digniin: Kaliya waxaa la soo gudbinayaa preload haddii DHAMMAAN subdomains-kaagu taageeraan HTTPS. Tilmaamaha includeSubDomains waxay ka dhigan tahay in subdomain kaliya oo ah HTTP uu noqon doono mid aan la heli karin.

Guul degdeg ah: Haddii aad horey u haysatay HTTPS dhammaan subdomains-ka waxaad ku dari kartaa dhammaan HSTS cinwaanka oo aad ugu dirtaa hstspreload.org. Geedi socodku wuxuu qaadanayaa dhowr toddobaad laakiin difaaca waa joogto.

Baaritaanka Dhibaatooyinka

Baaritaanka dhibaatooyinka otomaatiga ah wuxuu aqoonsadaa arrimaha amniga ee la yaqaan qaab-dhismeedkaaga ka hor intaan weeraryahannadu ka faa'idaystaan.

Waa maxay baaritaanka dhibaatooyinka oo hubiyaa:

  • Barnaamijka duugoobay: WordPress, plugins, maktabadaha JavaScript ee leh CVEs la yaqaan
  • Faylasha la shaaciyey: .env, .git, wp-config.php, xirmooyinka database
  • Macluumaadka la sahanayo: Cinwaanada nooca server-ka, qaabka debug, raadadka stack
  • Aqoonsiyo default: Bogagga maamulka oo aan lahayn oggolaansho, furayaasha default
  • Ports adeegyo furan: Adeegyo aan loo baahnayn oo internet-ka laga muujinayo
  • Barta gelinta: Foomamka aan lahayn ilaalinta CSRF, gelinta aan la xaqiijinin

Dhibaatooyinka caadiga ah ee ku yaal madal kasta:

| Madal | Dhibaatada ugu weyn | Xalka | |-------|---------------------|-------| | WordPress | Plugins duugoobay | Auto-update + WAF | | Shopify | Oggolaanshaha codsiga dhinaca saddexaad | Kormeer liiska codsiyada rubuca rubuca | | Next.js | Xiriirada API la shaaciyey | Middleware oggolaansho + xadidida rate | | Goobaha static | Qaabeynta khaldan ee CDN | Ka fiirso xeerarka keydinta | | Custom | Gelinta SQL | Su'aalaha parametartized |

Dhererka baaritaanka:

  • Maalinle: Tijaabada dusha otomaatiga (SSL, cinwaannada, faylasha la shaacay)
  • Toddobaadle: Hubinta Dhibatada Ku Tiirsan (npm audit, qalinka WordPress)
  • Bil walba: Tijaabo qoto dheer oo leh baaritaanka la oggolaaday
  • Kadib kasta oo la daabaco: Hubinta dib-u-qarinta

Guul degdeg ah: Ku socodsii npm audit (Node.js) ama fiiri liiska plugins-kaaga CMS si aad u aragto waxyaabaha duugoobay. Si degdeg ah u hagaaji arrimaha muhiimka ah/heerka sare.

Maadada Isku Dhafan

Maadada isku dhafan waxay dhacdaa marka bog HTTPS uu soo raro ilo (sawirada, scripts, stylesheets, iframes) oo ka socda HTTP. Tani waxay si qayb ah u jabinaysaa sirta waxayna keentaa digniinaha browser-ka.

Noocyada maadada isku dhafan:

| Nooc | Darajada | Tusaale | Dhaqanka Browser-ka | |------|----------|---------|---------------------| | Firfircoon | Sare | HTTP script, iframe, CSS | Si caadi ah ayaa loo xiraa | | Ka daawanaya | Dhexdhexaad | HTTP sawir, video, cod | La raray iyadoo la muujinayo digniin |

Maadada isku dhafan ee firfircoon waxay ku xiran tahay browsers casriga ah — taasi waxay ka dhigan tahay in scripts-kaaga iyo styles-kaaga si fudud aysan u imaan doonin. Maadada isku dhafan ka daawanaya ayaa la raro laakiin waxay muujinaysaa digniinaha amniga.

Helidda maadada isku dhafan:

  1. Furo Chrome DevTools → Console
  2. Eeg "Maadada Isku Dhafan" digniinaha
  3. Si kale, iska hubi qalabeeyeha (Screaming Frog, LANGR)

Ilo caadi ah oo maadada isku dhafan:

  • URL-yada http:// oo la qorey gudaha maaddada (boogaagta qoraallada, sharraxidda alaabta)
  • Guddiga dhinaca saddexaad ee raarinaya HTTP ilo
  • Mawduucyada ku jira (Embed YouTube duug ah, widgets-ka warbaahinta bulshada)
  • CSS background-image oo leh URL-yada HTTP
  • Farta lagu raranayo HTTP

Hagaajinta maadada isku dhafan:

<!-- Xun -->
<img src="http://example.com/image.jpg" />

<!-- Wanaagsan -->
<img src="https://example.com/image.jpg" />

<!-- Ugu Wanaagsan (caadi ah, ku habboon habka bogga) -->
<img src="//example.com/image.jpg" />

Xalka database (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Guul degdeg ah: Furo boggaaga hore ee Chrome, riix F12, hubi tabka Console ee digniinaha maadada isku dhafan. Hagaaji wixii soo muuqda — kuwan si toos ah ayaa loogu arki doonaa Google.

Khataraha Scriptka Dhinaca Saddexaad

Qof kasta oo script ah oo aad ka soo rarto waa khatar amni (iyo waxqabad). Scripts-ka dhinaca saddexaad waxay noqon karaan:

  • La jabsado (weerarada sahayda)
  • Ku raad raacaya isticmaaleyaashaaga iyada oo aan oggolaansho la helin (ku-xad-gudubka GDPR)
  • Hiddo-dhaafaya goobtaada (hagida curinta, dib-u-dhigid)
  • Burburinaya shaqada (cusboonaysiinta nooca, jarno)
  • Gelinaya waxyaabo aan la rabin (scripts-ka xayaysiinta ee si qalad ah u dhacaya)

Kormeer scripts-kaaga dhinaca saddexaad:

| Script | Loo Baahan Yahay? | Heerka Khatar | Ikhtiyaar | |--------|-------------------|---------------|-----------| | Google Analytics | Badanaa haa | Hoose | Raadinta server-ka | | Widgets-ka wada hadalka | Malaha | Dhexdhexaad | Xalka iskiis ah | | Badhamada wadaagista bulshada | Marar badan | Dhexdhexaad | Xiriirada wadaagga go'an | | Tijaabinta A/B | Mararka qaar | Sarre | Tijaabinta server-ka | | Pixels-ka dib-u-yaalinta | Go'aan ganacsi | Sarre | Xogta first-party | | Font CDNs | Raaxo | Hoose | Font-ka iskiis ah |

Yareynta khatarta ee scripts-ka dhinaca saddexaad ee muhiimka ah:

  1. Subresource Integrity (SRI): Hubinta hash-ka waxay ka hortagtaa scripts-ka isbedelka ah inay soo raacaan
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Xaddidaadaha CSP: Kaliya oggolaada scripts ka imanaya domains la yaqaan
  2. Iframes-ka la xaddiday: Kala sooc widgets-ka dhinaca saddexaad
  3. Kormeer joogto ah: Dib-u-eegista rubuca dhammaan ilaha dibadda
  4. Kormeer: Ka digtoonoow domains-kale oo cusub oo ka soo muuqda bogaggaaga

Guul degdeg ah: Liis garee dhammaan