Skip to main content
Back to blog

SEO Muganga Ntirhu: Ndzilano — Ndzawulo yo Ká Humelela eka Google na 2026

·11 min read·by LANGR SEO

SEO Muganga Ntirhu 7: Ndzilano

Lena i Ntirhu 7 wa Muganga wa 13 wa SEO. Ndzilano a i na ku hundzuriwa hi ku lunghiselela vafambi — i na ntirho wolwene ekubukeni ka rungisa ryaka. Google yi se yi vekile HTTPS tanihi sinalo ra rungisa ku sukela hi 2014, na mintlhontlho yi kumele yi tshembekile.

Vo sungula, vatinhu vemafambiselo va ehleketa laha ndzilano yi nga na nhlosi: "Hi na SSL, hikokwalaho hi tshembekile." Eka ntiyiso, Google yi langutisa nchocho ya mintlhontlho ya ntsindza. Nyombo leyi na khumbelo ya nsindza, ti certificate leti endliweke kahle, na ku nga na nyombo hlayiseka yi kume ndlela yo humelela ku tlula ngopfu ti site leti na SSL leyi tirhisiweke ntsena — swilo hinkwaswo swa fanela ku hundzuriwa.

Xikombiso xihle: Swi na ndlela yo sungula ya masiku yo sungula. Tumbuluxa ti kahle, na ti ta basa nyimbo ya rungisa ra wena.

Ku Tumbuluxa SSL

SSL (hi va nkhongo TLS) yi pfuxetela ku hlanganisa exikarhi ka server ya wena na vafambi. Ku sukela hi 2014, Google yi kumele yi vula ku kandziyela HTTPS tanihi sinalo ra rungisa. Eka 2026, ku nga ri na HTTPS a ku yi endla mbilu yi hwelela — Chrome yi veletsa site ya HTTP tanihi "Ayi Tiyiseka" eka bar ya adiresi, yi va pfunzani vafambi.

Tlhokohoko ta SSL leyi yingisekiweke:

| Tlhokohoko | Hikwalaho | Nawu yo Hlola | |------------|-----------|---------------| | Certificate leyi endliweke kahle | Nhlamulo = ku cina ka browser = ku fajokisiwa ka vafambi | Hlola siku ro hehla | | Nhlava yo hela | Nhlava leyi nga endliwanga yi ta ka switsundzuxo | Vahlola ka SSL Labs | | TLS 1.2+ | Maversion ya khale a a na vunhu lebyi known | Vahlola ka SSL Labs | | Ayi SHA-1 | Ku fanyetwa, mabrowser ma tisa a ku va | Nhlamuselo ya certificate | | Ku khumbuleni ka SAN | www na non-www a ku ve kelwe | Nhlamuselo ya certificate | | Ku tlhela ku langutisa | Ku thibela ku hehla | Let’s Encrypt / switirho ya mutirhi |

Hukuli ya SSL:

100% = Certificate leyi endliweke + Nhlava yohela + TLS 1.3 + Cipher yo tshikilelekile + Ku tlhelela ku langutisa
  0% = Certificate yo hehla kumbe ku nga na yona

Mintlhontlho yo tswala ya SSL:

  1. Certificate ya hehla hilaha ku nga ku vula — Vumbhoni bya ku langutisa (Ntirhu 6) nkarhi wa 30 wa masiku ku hehla
  2. Nhlava ya certificate yo helelaka — Server a yi fanela ku rhuma swicertificate leswi a swi nga fanela
  3. Ku tlhela tlhelela kuvhuya — HTTPS page yi hlanganisi HTTP resources (tinhla, mabhuku, style)
  4. Ku hava ku tihlahla — HTTP → HTTPS → HTTP miloko yi banga hi CDN/proxy leyi nga na xindzu
  5. Khumbelo ya non-www na www — Certificate yi ve kelwe hi wone kambe a yi kume win'wana

Xikombiso xiholela: Hlayisa domain ya wena hi SSL Labs (ssllabs.com/ssltest). Tina ta "A" ti na swivutiso leswi khumbulekaka. Vatanhlu va ntlawa va na leswi hi ku langutisa.

Khumbelo Ya Ntsindza

Khumbelo ya ntsindza i HTTP response headers leyi kholovaka mabrowser ndlela yo tirha loko ya hlanganisa site ya wena. Leswi swi ta pfuna ku thibela nhlayo yo sungula ya miloko — na va-hloli va Google va rhumela swifanyiso.

Khumbelo yo hlayisekaka:

Ntsindza ya Ndzawulo ya Tinhlayo (CSP)

CSP i khumbelo ya ntsindza leyi zambaka ngopfu. Iyi tivisa mabrowser leswi resources (tinhla, styles, tints, fonts) ti kumele ti khumeta eka mapage ya wena.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Leswi CSP swi thibilaka:

  • Ku hlanganisela swakatsaka (XSS)
  • Ku ndzhaka ka tidata
  • Ku tlakusa (ku tirhisa frame-ancestors)
  • Ku famba ka code leyi hlawuriwaku (cryptominers, ad injectors)

Ntirhu ya CSP:

  1. Vhala na Content-Security-Policy-Report-Only (swi landzerswiswa ku va na mina)
  2. Hlahlamba swirhangu hi nkarhi wa 1-2 masiku
  3. Sindzisa ma sumberu
  4. Famba na khumbelo
  5. Ndza rivali report-uri kumbe report-to mabila.

X-Frame-Options

Ku thibela site ya wena ku kuliwa hi iframes eka business yo hambana (protection against clickjacking).

X-Frame-Options: DENY

Kambe loko u lavisisa ku letela framing ya XORIGIN:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ku thibela mabrowser ku hlanganisa MIME-types (ku nyanyuka files ku endla mirhi yotala).

X-Content-Type-Options: nosniff

Leswi swi thibela ku nga na attack loko i .jpg/i na mirhi ya JavaScript leyi mabrowser a ku swi fanele.

Referrer-Policy

Ku laxa leswi khumbetaka hi vulava hileswi vafambi va hlungaka mintlhontlho ku suka ku site ya wena.

Referrer-Policy: strict-origin-when-cross-origin

Leswi swi rhumela URL ya nxaxamelo hi nkarhi wa mintlhontlho yehlekisi kambe kuphela nxaxamelo (domeni) ya cross-origin.

Permissions-Policy

Ku laxa leswi i ku endla nakulendawo (camera, microphone, geolocation, na swimbitso) swi kumele virhulalela site ya wena.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ku thibela nchumu lowu u nga na wona ku kumelela swicertificate wo xuphegerhtml.

Xiviko xikombiso (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Xiviko xikombiso (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Xiviko xikombiso (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Xikombiso xiholela: Tsa ka 5 swikongomelo leswi, leswi nga swikoko ti xitseme. Leswi ku ta va kuluvo ni ku nyunguta kuri.

HSTS Preload

HTTP Strict Transport Security (HSTS) yi vula mabrowser leswaku ma fanele ku tirhisa HTTPS hi nkarhi wo khumbela. Ku nga ri na HSTS, ku hlanganisa ku tolovela HTTP (ku kombisa vulnuru) ku yisa na HTTP.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Swidzo thrio:

| Swidzo | Ku vula | |--------|---------| | max-age=31536000 | Endla leswi loko ku va na 1 n'hweti (hi masiku) | | includeSubDomains | Phinda hi subdomains | | preload | Request ku yisa eka mabrowser |

HSTS preload list:

Nsindza wa HSTS leyenevu ku basisa. Mabrowser ma tuva na ndzhaka wo tumbuluxa. Ku tumbuluxa domain ya wena eka hstspreload.org swi kombisa:

  • Vafambi va ntirho wa HTTPS hi nkarhi (ku nga ri na HTTP → HTTPS redirect)
  • Ku tlakusa ku ti ngelelwe
  • Ku basisa nkamisa (ku tinyiketela ku nghena)

Tlhokohoko ta HSTS preload:

  1. Certificate ya HTTPS leyi endliweke kahle
  2. Tora HTTP hinkwako hi HTTPS (ku akona subdomains)
  3. HSTS header na max-age >= 31536000
  4. HSTS header yi na includeSubDomains
  5. HSTS header yi na preload
  6. Subdomains sonhvile va pfuna HTTPS

Xikombiso: Loko u si na HTTPS hi subdomains hinkwaswo, tumbuluxa HSTS header hi ku yisa eka hstspreload.org. Ku pholisa ku tirhisa mavhoya ke, kambe vulnerabilitiy hämmerra na momba.

Ku Hlolwa ka Vunhu

Ku hlolwa ka vunhu i ku landzela ku tswalaka misava eNew, leswaku yi ta basisa.

Leswi ku hlagwa hwa vunhu swi hlola:

  • Software leyi hehla: WordPress, plugins, JavaScript libraries na CVE
  • Files leyi tirhiwaka: .env, .git, wp-config.php, dumps ya database
  • Hlamusela: Header ya server, debug mode, stack traces
  • Mafambiselo ya default: Admin pages a swi phindzayi, passwords ya default
  • Port/service ya vula: Switseres loku swi xupheger hambi
  • Mana yo ndzhaka: Tinhla ti ngehama ku tiyiseka

Mintlhontlho_pixitega leyi hlangana na platform:

| Platform | Top Vulnerability | Fix | |----------|-------------------|-----| | WordPress | Outdated plugins | Nkomisa + WAF | | Shopify | Third-party app permissions | Juti tiva list ya app hi trimestril | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Tarhisa cache rules | | Custom | SQL injection | Parameterized queries |

Hlawula ku hlolwa:

  • N'wef: Ku humesa surface ya ukuhamba (SSL, headers, exposed files)
  • Wa nkarhi: Ku hlalola vunhaku (npm audit, WordPress plugin scanner)
  • Mafambiselo: Ku hlola kahle ka tropho
  • Loko ntsindza woka: Ku langutisa

Xikombiso: Run npm audit (Node.js) naswona hlola list ya plugin ya CMS ya outdated components.

Ndzawulo ya Mixed Content

Mixed content yi bimbelete loko i HTTPS page yi hlanganisi resources (tinhla, mabhuku, style, iframes) ku hlanganisa HTTP. Leswi yi thheadza ku pfuna na ku kumiwa.

Tipefu ta mixed content:

| Tipefu | Ku langutana | Xikombiso | Ku hlanganisa mabrower | |--------|--------------|-----------|------------------------| | Active | High | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded with warning |

Active mixed content yi ku thibatkanhiwa hi mabrowser ya nkarhi wo ringananga — ku kombisa va scripts-kelo na styles. Passive mixed content yi va nko na khumbelo.

Ku hlola mixed content:

  1. Vula Chrome DevTools → Console
  2. Langa "Mixed Content" kumwuka
  3. Kambisa hi ku hlola scanner (Screaming Frog, LANGR)

Tsonhaka ya mixed content:

  • Hardcoded http:// reports eka tinhlayo (mabhuku, swikombiso)
  • Widgets leyi humesekiweke hi HTTP
  • Khumbelo yo hlanganisela (YouTube old embeds na social media widgets)
  • CSS background-image na HTTP URL
  • Fonts hlanganisela ku tirhisa HTTP

Ku pholisa mixed content:

<!-- Va bykisa -->
<img src="http://example.com/image.jpg" />

<!-- Endi -->
<img src="https://example.com/image.jpg" />

<!-- Ndzawulo (protocol-relative) -->
<img src="//example.com/image.jpg" />

Xikombiso xa Database (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Xikombiso: Vula exrepola ya Chrome, tswa F12, eConsole tawonghe mixed content warnings. Thibela ku hlangama.

Khosi ya Tihlo ta Nyahitlhoko

Nsindzisa hi ku tswaleka swiskiro hi ku basa handle.

  • Ku nhlalanganise ku ya ro ntlawa (mumps)
  • Pina ku tala interna vahumeli
  • Madyondza ku muya wa tikombolulu
  • Nyiki mndzwiye
  • Teka ku fembela

Yimela Tihlo:

| Script | Ku va na swona? | Ku langutana | Kulanga | |--------|-----------------|---------------|----------| | Google Analytics | Hikwalaho | Low | Server-side tracking | | Chat widgets | Kunguhaka | Medium | Ku se na tswala | | Social share buttons | Kunguhaka | Medium | Static share links | | A/B testing | Ku nga ri | High | Server-side testing | | Retargeting pixels | Mibukosi ya Ndzilano | High | First-party data | | Font CDNs | Vombile | Low | Tsa ka fonts |

Ku phuphana akili ka swicertificate:

  1. Subresource Integrity (SRI): Hash verification ku thibela swicertificate ku tirha.
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Nave oui switshoka na domain.
  2. Sandboxed iframes: Laha heatranemile
  3. Ntsakelo: Langa mintsela ya uva
  4. Monitoring: Kha ta hi swizirhandzu lo lelihliwe.

Xikombiso: Hlava voljo, xinying taxi ti