MGuidi ya SEO Ndivho 7: U Tshedza — Muono Wubugi Google U Lamo 2026
MGuidi ya SEO Ndivho 7: U Tshedza
Iyi i Ndivho 7 ya MGuidi ya SEO ya Masigi 13. U tshedza a sithi fhedzi u phaphatheka vhathu — u shandela u ita mulalo wa u senga. Google o shandishela HTTPS sa muono wa u senga mula 2014, na mivhuso i sumbu we khakhu.
Vhathu vhinji vho shandishela masite vha nahana u tshedza sa u ṱanganya: "Ri na SSL, na zwine ra vho ita." U fanela, Google i tshi funga mivhuso mitshutshu ya u tshedza. Misite ine ya na security headers, certificates dzine dza shumuswa, na dzine dzo fhedza na mixed content i dzula i wanga misite ine ya na certificate ya SSL fhedzi — u fanela na nyito dzo ralo.
Ndi a funa: mivhuso mbona ya u tshedza i fanela u shandulelwa ngazwine. Langa dzine, na dzo tshimbidza u senga.
SSL Configuration
SSL (u fanela TLS) i sunga u hwelela ngazwine hu na server ya u ṱutshela na vhathu. U bva 2014, Google i sumbedzela HTTPS sa muono wa u senga. U 2026, u sa bvaho HTTPS a si munna we u senga — Chrome i a tanda misite ya HTTP sa "A si Tshedziwa" kha address bar, i fhedza muri ya vhathu.
Zvinodiwa zwa SSL zwavhuya:
| Zvinodiwa | Nne | Nzira ya U Tswala | |-----------|-----|-------------------| | Tshiambano tshi tsebiswa | U fola = khomotsho ya browser = vhathu vha bva | Tswala zuva la u fola | | Fulani | Misite i sa vhe na dzikhwama zwo teaho vha shumiselwa | SSL Labs test | | TLS 1.2+ | Vhersion dzo katanga dzina mivhuso | SSL Labs test | | A si SHA-1 | U phaga, browsers i liwana | Tshedzano dza certificate | | SAN coverage | www na non-www u fanela u vhe na khosa | Tshedzano dza certificate | | U vhuyelwa gezwi | U thibela kha lueno zwine zwa tendela | Let's Encrypt / provider config |
SSL scoring:
100% = Tshiambano tshi valifiri + Fulani + TLS 1.3 + Cipher ya matla + U vhuyelwa gezwi
0% = Tshiambano tshi fola kana u sa na certificateZvikanganiso zvizhinzhi zve SSL:
- Tshiambano tshi fola pasina ndumbadumbu — Khangela monitoring (Ndivho 6) kha mazuva 30 a u thoma
- Fulani ya certificate — Server i fanela u humbela certificates dzakakati, a si fhedzi la leaf
- Mixed content — HTTPS page i vhulalelwa HTTP resources (mifananidzo, scripts, stylesheets)
- Redirect loops — HTTP → HTTPS → HTTP cycles ndo vha mukwasha CDN/proxy
- Mishumo ya Non-www na www — Certificate i vhe na mumwe a si munwe
Quick win: Rangi domain yau kha SSL Labs (ssllabs.com/ssltest). Zwino zwoṱhe zwo ralo u na "A" rating li na mivhuvo ya u shandisi. Vhuthululi vhubva mu hosting i fhedza.
Security Headers
Security headers ndi HTTP response headers dzo retshedza browsers u itela u tanga u lamba site yau. I thibela milingano ya u shandukisa — na Google’s crawlers i vhumbela mahlaba a zwine zwa, vatulu.
Headers dzo ralo dzo litala:
Content-Security-Policy (CSP)
CSP ndi header ya u tshedza ya mogo khulu. I faeza browsers u vhudza ngazwine ndi zwhatwa (scripts, styles, mifananidzo, mafaira) a tshi fanelwa u loaded kha mapeji au.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';Zwino CSP i thibela:
- Cross-site scripting (XSS) milingano
- Data injection milingano
- Clickjacking (ngazwine
frame-ancestors) - Ma scripts a sa swanelwi a u shanduka (cryptominers, ad injectors)
CSP deployment strategy:
- Thoma na
Content-Security-Policy-Report-Only(i tutuka milingano fhedzi i sa thibile) - Khangela vhudifhi ha khamusi 1-2 masi day
- Whitelist masi a u itela
- Dzhia kha enforcement mode
- Dzhia
report-urikanareport-tou itela mulalo wa milingano
X-Frame-Options
I thibela site yau u kunda kha iframes kha dzimwe domains (clickjacking protection).
X-Frame-Options: DENYKana u funa u faeza same-origin framing:
X-Frame-Options: SAMEORIGINX-Content-Type-Options
I thibela browsers u MIME-type sniffing (khuwa mafaera sa zvine zvanakela na zwione).
X-Content-Type-Options: nosniffIyi one-liner i thibela milingano ine ya .jpg faera i na JavaScript ya u fuḓa hu vhuye.
Referrer-Policy
I laola hu ula vhukuma ha referrer information u tshi bva vhathu u u dzula links kha site yau.
Referrer-Policy: strict-origin-when-cross-originI i u faela URL i vhe na khosa ya same-origin u bva fhedzi, sa u sa shai khosa (domain) kha cross-origin requests. I fanela u vhuye energy ya analytics na miri.
Permissions-Policy
I laola mifhungo ya browser (kamara, microphone, geolocation, na zwine zwo ralo) zwo fanela u shandishela kha site yau.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()U vhulunga mifhungo ine u sa shumisi u thibela scripts dza dzimwe nga u ithuta.
Header implementation example (Next.js):
// next.config.js
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
]
}]
}
}Header implementation (Apache .htaccess):
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Header implementation (Nginx):
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Quick win: Kwangela ma header a 5 a re khwasa kha u shandula server yau. I fha piri na miphetho ya 5 na i thibelale uri i tange.
HSTS Preload
HTTP Strict Transport Security (HSTS) i faeza browsers u shandishela HTTPS fhedzi khathihi u thoma request. U si na HSTS, u thoma u nasha kha site yau u katanga u shandishela HTTP (u lelelela mukwasha) vhukuma i kha fulani ya HTTPS.
HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadMivhuso mithihi:
| Mivhu | Nne | |-------|-----| | max-age=31536000 | Khangela izwi zwine u ḓikũna (kha ma dza) | | includeSubDomains | Swiswi a tshelela kha subdomains khavhudi | | preload | I bvumela u dzhia muono kha browser preload lists |
HSTS preload list:
U tshimbidza HSTS. Browsers i remofela na u bvisela muono we fhedzi u due HTTPS. U submitting domain yau kha hstspreload.org i amba:
- Vha u thoma vha u ṱanganya HTTPS nga tshithu (a si muono HTTP → HTTPS redirect)
- Tshi vhuya u u thibela khavho
- I permanent (i ri mutswaki u wanga u bvisela fhedzi khwa u amba)
Zvinodiwa zwa HSTS preload:
- Valid HTTPS certificate
- Thibedza HTTP fhedzi u ṱanganya HTTPS (na subdomains)
- HSTS header ine ya
max-age>= 31536000 - HSTS header ine
includeSubDomains - HSTS header ine
preload - Subdomains zwoṱhe u swiswi ine zwo shandishela HTTPS
Warning: Fhedzi paya kha preload u zwi vhe zwine zwoṱhe zwo shandishela HTTPS. U si bvise includeSubDomains i amba uri subdomain inwe sa HTTP fhedzi u we.
Quick win: U si na HTTPS kha subdomains zwoṱhe, dzhia HSTS header yafula na submit kha hstspreload.org. U mivhuso ino i vha piri fhedzi i sa ralo.
Vulnerability Scanning
Scanning ye i khetha zwikanganiso zwa u tshedza zva zwine zwa fulwa kha nga shangoni hau:
Zwino scanning i swiswi:
- Software dzine dzo katanga: WordPress, plugins, JavaScript libraries ine e na CVE
- Mafaira a u si u ṋuwa:
.env,.git,wp-config.php, database dumps - Information leakage: Server version headers, debug mode, stack traces
- Mivhuso ye si ile: Admin pages pasina u phatphala, mivhuso ye vhuṋe
- Porti/open services: Mivhu i vhalelwana na Inthaneti
- Injection points: Forms pasina CSRF protection, unvalidated inputs
Mitshutshu ya vulnerabilities ya shagoni:
| Shagoni | Vulnerability ya Top | Fix | |---------|----------------------|-----| | WordPress | Plugins dzine dzo katanga | Auto-update + WAF | | Shopify | Permissions dza app dza nga khavhudi | Audit app list quarterly | | Next.js | API routes dzine dzo expose | Auth middleware + rate limiting | | Static sites | CDN hashing i lwela | Khangela cache rules | | Custom | SQL injection | Parameterized queries |
Frequency ya scanning:
- Yanga: Automated surface scan (SSL, headers, exposed files)
- Mashudu: Dependency vulnerability check (npm audit, WordPress plugin scanner)
- Madhuku: Deep scan na testing ye phat phat
- Kha ngwedi ya vhuṱambo: Regression check
Quick win: Rangi npm audit (Node.js) kana khangela list ya plugins ya CMS yau u itela ma components a katanga. Fixa ziyuru/zhai.
Mixed Content
Mixed content i tshi ṱanganyi kha HTTPS page i hwelela zviwanikwa (mifananidzo, scripts, stylesheets, iframes) nga HTTP. I thibela mivhuso na khwine na u fhedza u lemuka ha browser.
Mitshutshu ya mixed content:
| Mivhu | Severity | Muenzaniso | Browser Behavior | |-------|----------|------------|------------------| | Active | Khulu | HTTP script, iframe, CSS | I thibwa kha default | | Passive | Medium | HTTP image, video, audio | I load i tshi faeza |
Active mixed content i thbigwa nga browsers dza unyime — mivhu yaukano i sa bviswa. Passive mixed content i loads fhedzi i sumbedza mivhuso ya u tshedza.
Finding mixed content:
- Fhisa Chrome DevTools → Console
- Tsha "Mixed Content" mivhuso
- Kana u tshi khangela u bvisela crawler (Screaming Frog, LANGR)
Common mixed content sources:
- Hardcoded
http://URLs kha mivhu (blog posts, product descriptions) - Widgets dze shishi dzo load HTTP resources
- Content i kayangilwe (YouTube old embeds, social media widgets)
- CSS
background-imageine i na HTTP URLs - Fonts i load na HTTP
Fixing mixed content:
<!-- Khuluma -->
<img src="http://example.com/image.jpg" />
<!-- Mulalo -->
<img src="https://example.com/image.jpg" />
<!-- Best (protocol-relative, i amba u ziwanikwa) -->
<img src="//example.com/image.jpg" />Database fix (WordPress):
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');Quick Win: Fungula homepage yau kha Chrome, dzhia F12, khangela Console tab u na mixed content warnings. Fixa zwine zwa bonwa — zwi vhanga pa Google.
Third-Party Script Risks
Imwe ne yese script ine u load i bvela na u nga khumha mayani. Third-party scripts i nga:
- Ku na nyito (supply chain attacks)
- U tandiha vhathu pasina khwama (GDPR violation)
- U fhedza site yau (render-blocking, network latency)
- U phonda functionality (version updates, outages)
- U sereal imwe nyito (ad scripts dzo u zwinwa)
Tuwa mbunzo dze third-party scripts:
| Script | Tarumani? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Khamusi ee | Low | Server-side tracking | | Chat widgets | Mbiri | Medium | Self-hosted solutions | | Social share buttons | Vhi dingwa | Medium | Static share links | | A/B testing | Hanga | High | Server-side testing | | Retargeting pixels | Muono wa bhize | High | First-party data | | Font CDNs | Khwanyanga | Low | Self-host fonts |
Risk mitigation ye third-party scripts:
- Subresource Integrity (SRI): Hash verification i thibela ma scripts a ziwangu u tsoa
<script src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
crossorigin="anonymous"></script>- CSP restrictions: A fanela khangela scripts kha domains dzine dinwe
- Sandboxed iframes: Isoate third-party widgets
- Regular audits: Quarterly review ya resource dzine dzo hangwa
- Monitoring: Khangela u ralo kha dzina dze mushumo dze ngaho
Quick win: Ringisa vho