Skip to main content
Back to blog

Tšoanelo ya SEO Kholi 7: Tšhireletsi — Melemo e Melele eo Google e e Letlang ka 2026

·14 min read·by LANGR SEO

Tšoanelo ya SEO Kholi 7: Tšhireletsi

Eno ke Kholi 7 ya Tšoanelo ya SEO e Amanang le Melemo e 13. Tšhireletsi e sa kgethe mo go sireleditseng basebeligi — e ama go leboga ga gago ka kotlolo. Google e dirile HTTPS jaaka sesupo sa maemo go tshwantshetswa go simologa ka 2014, mme diphetho di tsweletse go oketsega.

Bongwe ba ba nang le website ba akanya ka tšhireletsi jaaka thulaganyo: "Re na le SSL, ka jalo re sireleditswe." Ka boshe, Google e lekanya mekgwa e amanang le tšhireletsi ka mekgwa e e amanang. Website tse di nang le mekgwa e e siameng ya tšhireletsi, ditlhopho tse di amanang, le mekgwa ya tlhakanelwa ga di na tsheko di feta website tse di nang le sertifikate ya SSL ya motheo — tsotlhe di le kgetsana.

Tshedimosetso e e molemo: mekgwa e mengwe ya tšhireletsi e ka setlwaelo e amanang le selekanyo. Setlhaela se, mme se sireleditse maemo a gago ka nako e e sa fele.

SSL Configuration

SSL (ka borai TLS) e sitisa kgokelo pakeng tsa seva ya gago le ba etelang. Go simologa ka 2014, Google e netefalitse ka go iketleelediwa HTTPS jaaka sesupo sa maemo. Ka 2026, go se na HTTPS ke bothata ba maemo feela — Chrome e paakanyetsa HTTP site jaaka "E se na Tšhireletsi" mo borai ba aterese, go senya tshepo ya basebeligi.

Dikgotlha tse di hlokegang bakeng sa SSL e e siameng:

| Kgotlha | Ke eng | Tsela ya go Lekanya | |-------------|-----|--------------| | Sertifikate e e amanang | E feta = tshedimosetso ya borai = basebeligi ba bodedisa | Lekanya letsatsi la go feta | | Ketane e e feletseng | Ketane e e sa feletseng e kgethegile mo diketseng dingwe | SSL Labs test | | TLS 1.2+ | Meheng e mefsa e na le borai bo bo itshekolang | SSL Labs test | | No SHA-1 | E sa dirisiwe, borai ba e lema | Tshedimosetso ya sertifikate | | SAN kgotlhokwa | www le non-www ba tshwanela go kgethegwa | Tshedimosetso ya sertifikate | | Auto-renewal | E thibela diphetho tseo di amanang ka nako | Let's Encrypt / provider config |

Kgotlha ya SSL:

100% = Sertifikate e e amanang + Ketane e e feletseng + TLS 1.3 + Cipher e e maatla + Auto-renew
  0% = Sertifikate e e feta kgotsa e se na |

Mehuso e e kgethegileng ya SSL:

  1. Sertifikate e feta ka go sa itsiwe — Setup monitoring (Kholi 6) ka maswabi 30 dias pele ga go feta
  2. Ketane ya sertifikate e e sa fele — Seva e tshwanetse go romela ditlhopho kitsana, eseng fela lepokisi
  3. Mixed content — HTTPS page e laela dithoto (ditema, scripts, stylesheets) ka HTTP
  4. Redirect loops — HTTP → HTTPS → HTTP di kgethegile ka go sa netefatse CDN/proxy
  5. Non-www vs www phoso — Sertifikate e kgethegile mo mongwe empa e sitwa mo go mongwe

Quick win: Rulaganya domain ya gago ka SSL Labs (ssllabs.com/ssltest). Le lengwe le le tlase ga "A" le na le dikgopolo tse di amanang. Bontsi ba bapholosi ba lethatsi ba atlhola motlotlo ka go kgethegile ka sekai.

Mekgwa ya Tšhireletsi

Mekgwa ya tšhireletsi ke mekgwa ya HTTP e amanang le diphetho tse di buang borai ka ga fa mila ya gago. Di thibela diphetho tse di amanang le mekgwa e amanang — le Google e lekanya mekgwa eo.

Mekgwa ya tšhireletsi e e hlokegang:

Content-Security-Policy (CSP)

CSP ke ntlha e amanang le mekga ya tšhireletsi. E.dg. borai ka ga fa mila ya gago ka ga nngwe mekgwa (scripts, styles, images, fonts) e amanang le go laolwa mo diphepheng tsa gago.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Seo CSP se se thibelang:

  • Cross-site scripting (XSS)
  • Data injection attacks
  • Clickjacking (ka frame-ancestors)
  • Boikhethelo jwa kode e e se nang borai (cryptominers, ad injectors)

CSP deployment strategy:

  1. Sthrata ka Content-Security-Policy-Report-Only (logga dikgwetlho ntle le go thibela)
  2. Lekanya diphetho mo dikgwetlhong ka diphetho di 1-2
  3. Tlhopha mekgwa e amanang e amanang
  4. Phaeletsa mo go amanang
  5. Tlhoma report-uri kgotsa report-to bakeng sa go loga dikgwetlhong tse di amanang

X-Frame-Options

E thibela sebaka sa gago go be gathagana mo iframes mo diphepheng dingwe (protection ya clickjacking).

X-Frame-Options: DENY

Gape fa o batla go dumela boang ba bo morwa:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

E thibela borai go lemoga MIME-type (go buisa fa fa se se amanang le type e e amanang le go ngwaga).

X-Content-Type-Options: nosniff

E amanang le go thibela mekgwa e amanang le .jpg e nang le javascript e e farologaneng go amogela fa borai e ka e dirang.

Referrer-Policy

E laola go lekanyetsa borai bo amanang le mekgwa e amanang le bo sepelotsa borai fa basebeligi ba kgetha diketapele go tswa mo website ya gago.

Referrer-Policy: strict-origin-when-cross-origin

Se se romela URL e e feletseng ka ga mekgwa e amanang le mafelo empa go romela kgwele ka ga bo sepelotsana (domain) ka ga se sepeletse. E amanang le ditlhopho le borai.

Permissions-Policy

E laola mekgwa efe e amanang le borai (kamera, makgala, geolocation, jj.) e amanang le go dirisiwa mo website ya gago.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Go thibela mekgwa e o sa e dirisang go thibela mekgwa ya borai go amanang le go arolelwa.

Seemane sa go dirisa mekgwa (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Seemane sa go dirisa (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Seemane sa go dirisa (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Quick win: Dira mekgwa e me 5 e amanang le diphetho mo website ya gago. Eboga di le dikgwetlho ka metsotsana mme di ka tsweletse go OKETSEGWA mo mekgweng.

HSTS Preload

HTTP Strict Transport Security (HSTS) e bolelwa borai go se lekwane age HTTPS ka ga karolo ya gago — le fa go sa bolelwa kgethegile. Fela go se na HSTS, kgethana ya ntlha go le etela website ya gago le ntse e tshega a ba sekae go LENG.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Dikgopolo tse tharo:

| Kgotlha | Tshekatsheko | |-----------|---------| | max-age=31536000 | Gopola se go ya ka ngwaga (ka seconds) | | includeSubDomains | Bolele mo dikarolong tsohle | | preload | Kopa go akaretsa mo borai ba preload |

HSTS preload list:

Tshireletso e amanang le HSTS. Borai ba ya ka borai bo amanang le borai ba domain le ba yang mo tseleng e amanang ka HTTPS. Go romela domain ya gago go hstspreload.org go akaretsa:

  • Bafalewang ba ntlha ba kgetha HTTPS ka potlako (go se na HTTP → HTTPS redirect)
  • Go ke sitwa go ditlhopho go thibela netefatso
  • E sa ntse e le e amanang (go thata go e tsweletsa fa go kgethegile)

Dikgopolo tse di amanang le HSTS preload:

  1. Sertifikate ya HTTPS e amanang
  2. Redirect di HTTP go ya HTTPS (go akaretsa subdomains)
  3. HSTS header ka max-age >= 31536000
  4. HSTS header e akaretsa includeSubDomains
  5. HSTS header e akaretsa preload
  6. Karolo nngwe le nngwe e tshwanela go sireleditswe ka HTTPS

Warning: Fela romela go preload fa dikhilojeng tsotlhe di tshega go sireleditswe ka HTTPS. includeSubDomains kgotlha se se amanang le website e amanang e se nang HTTP.

Quick win: Fa o ntse o na le HTTPS mo dikarolong tsotlhe, ama ka HSTS header e e feletseng le go romela go hstspreload.org. Go amanang go tsaya dibeke tse di makgolo empa tshireletso ke ya boitumelo.

Tshekatsheko ya borai

Tshekatsheko ya borai e amanang go hwetlha mekgwa e amanang le borai ka manong ka ga jone go ya ka diphetho e amanang le borai.

Seo tshekatsheko ya borai e lekanang:

  • Software e e sa ntšhameng: WordPress, plugins, JavaScript libraries tse di amanang le CVE
  • Dithoto tse di senngwang: .env, .git, wp-config.php, database dumps
  • Se sa tsebe: Borai ja ngwaga, borai ba akaretsa / debug mode
  • Bokgoni: Borai ba palo ya Admin, ditlhopho tse di amanang
  • Ditshebeletso e di ako: Ditshebeletso tse di se nang go amana ka borai
  • Dikgopolo: Fana ka mekgwa e amanang le borai

Mechano e amanang le borai ka ga platform:

| Platform | Mokgwa o o Amanang | Fixa | |----------|-------------------|-----| | WordPress | Plugins e amanang | Auto-update + WAF | | Shopify | Methati ya dipholo | Audit diphetho ka ngwaga | | Next.js | API route e amanang | Auth middleware + rate limiting | | Static sites | CDN e amanang | Lekanya diphetho | | Custom | SQL injection | Mekgwa e amanang |

Tshekatsheko frequency:

  • Ka letsatsi: Automated surface scan (SSL, headers, exposed files)
  • Ka beke: Tshekatsheko ya borai e amanang (npm audit, WordPress plugin scanner)
  • Ka ngwaga: Tshekatsheko e e oketsegileng ka borai
  • Ka morago ga kgetsi nngwe le nngwe: Dikhopho

Quick win: Rulaganya npm audit (Node.js) kgotsa lebelela lenane la plugin ya gago ya CMS ka borai fo go yoketlwa. Fixa mekgwa e amanang le borai ka potlako.

Mixed Content

Mixed content e diragalang fa HTTPS page e laela mekgwa (ditema, scripts, stylesheets, iframes) ka HTTP. Se se senya go bona le go Modimo ya borai.

Mehleng ya mixed content:

| Mefuta | Bogale | Mehlala | Borai bo Amanang | |------|----------|---------|------------------| | Active | Kgolo | HTTP script, iframe, CSS | E thibela ka kitso | | Passive | E kgethegile | HTTP image, video, audio | E laelwa ka go kgobang |

Mixed content e amanang le go umugwa mo borai ba batlhokomedi — go raya fa mekgwa ya gago le diatla di se kgethegile. Mixed content e na le tshedimosetso mo go amanang le borai.

Go reka mixed content:

  1. Bula Chrome DevTools → Console
  2. Kopa dikgweke "Mixed Content"
  3. Ka bo a, sekaseka ka go amana mo botshwatsong (Screaming Frog, LANGR)

Mehleng e amanang le mixed content:

  • Dinahisano http:// URL mo mekgweng (blog posts, product descriptions)
  • Third-party widgets e nang le mekgwa ya HTTP
  • Embedded content (YouTube old embeds, social media widgets)
  • CSS background-image le mekgwa ya HTTP
  • Fonts di kgethegile mo HTTP

Go fetsa mixed content:

<!-- Fano -->
<img src="http://example.com/image.jpg" />

<!-- Monono -->
<img src="https://example.com/image.jpg" />

<!-- Mofuta o Mokete (protocol-relative, o itlhaganele go ya mo protocol ya page) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Bula sebaka sa gago mo Chrome, letlhwa F12, lebelela tab ya Console go bontsha mixed content warnings. Fetsa mekgwa e amanang ka go kopanya — tse di bonwang ka borai ga di ka kgethega mo Google.

Menwe ya Third-Party Script

Mefuta e amanang le borai e amanang e akaretsa seda sa tshireletsi. Menwe ya borai e ka:

  • Go amogela (supply chain attacks)
  • Go latela basebeligi ba gago ntle le ngwaga (GDPR violation)
  • Go feta sebaka sa gago (render-blocking, network latency)
  • Go senya mekgwa e amanang (version updates, outages)
  • Go laela dikahlego tse di amanang (ad scripts gone wrong)

Audit mekgwa e amanang le borai:

| Script | Go hlokega? | Bogale | Mekgwa ya Go Here: | |--------|-----------|------------|-------------| | Google Analytics | Hanghampe | Kgolo | Server-side tracking | | Chat widgets | Mo go e tshegswhe | Kgethegile | Solutu kgotsa se se motlhofo | | Social share buttons | Kgale | Kgethegile | Static share links | | A/B testing | Keng | Kgolo | Server-side testing | | Retargeting pixels | Boitshwaro | Kgolo | Boewe ba data | | Font CDNs | Go kwatlha | Kgolo | Sewungwe ya borai |

Go thibela borai ka mekgwa e amanang le borai:

  1. Subresource Integrity (SRI): Hash verification e boloka go thibela mekgwa e amanang le borai go feta
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Fela dumela mekgwa e amanang le borai go tswa mo dikarolong tse di amanang
  2. Sandboxed iframes: Ye nga gathang diphetho tse di amanang le borai
  3. Regular audits: Audit ka ngwaga ya borai e amanang
  4. Monitoring: Go kopa morago ga mekgwa e amanang le borai e amanang mo diphetho

Quick win: Lethwa le mekgwa yotlhe ya