UGuidi ye-SEO Isinyathelo 7: Ukuvikeleka

Lesi yisinyathelo sesi-7 se-13-Step SEO Guide. Ukuvikeleka akukhulumi nje ngokuvikela abasebenzisi — kuthinta ngqo izikhundla zakho zokusesha. I-Google isebenzise i-HTTPS njengophawu lwezikhundla kusukela ngo-2014, futhi okulindelekile kuphthile.

---

Abaningi abanikazi bezindawo bacabanga ukuthi ukuvikeleka kuyinto eyinhlangothi ezimbili: "Sinezinga le-SSL, ngakho sikuvikelile." Empeleni, i-Google ibheka izixhumanisi eziningi zokuphepha. Izindawo ezineziqinisekiso zokuphepha ezifanele, amakhadi avele okusebenziseka, kanye nokungabi nokuhlanganiswa kwezinye izinto zithola izikhundla eziphezulu kunalezo ezinomphakathi wesizo kuphela — konke kusengqondweni.

Izindaba ezinhle: imithombo evikelekile ivamile, iyisikhumbuzo esisodwa. Setha kube kanye, futhi izovikela izikhundla zakho ngonaphakade.

Ukuhlelwa kwe-SSL

I-SSL (ngoktechnically i-TLS) ivikela uxhumano phakathi kweseva yakho neziy visitors. Kusukela ngo-2014, i-Google iqinisekisile ngokucacile i-HTTPS njengophawu lwezikhundla. Ngomnyaka ka-2026, ukunganaki i-HTTPS akuyena umqondo wezikhundla kuphela — i-Chrome ibonisa amasayithi e-HTTP njenge "Ayivikelekile" ebhulogi, ibhubhisa ukwethembekile kwabavakashi.

Izidingo ze-SSL efanele:

| Izidingo | Kungani | Indlela yokuhlola | |-----------|---------|------------------| | Isithombe esivumelekile | Phumelelayo = isixwayiso sokuqhafaza = abavakashi abahamba | Hlola usuku lokuphelelwa | | Uchungechunge oluphelele | Uhlu olungaphelele lungafaneleka ezinhlakweni ezithile | Ukuhlolwa kwe-SSL Labs | | TLS 1.2+ | Izinguqulo ezindala zinekeze lwama-vulnerabilities | Ukuhlolwa kwe-SSL Labs | | Akukho SHA-1 | Ukuphelelwa, iziphequluli ziyakwenqaba | Imininingwane yesitifiketi | | Ukuqinisekisa i-SAN | www kanye ne-non-www bonke kufanele bakhululwe | Imininingwane yesitifiketi | | Ukuvuselelwa okuzenzakalelayo | Kuvikela ukungapheleli | Qhagamshela ku-Encrypt / umphakeli wezimiso |

Ukuhlola kwe-SSL:

100% = Isitifiketi esivumelekile + Uchungechunge oluphelele + TLS 1.3 + I-Cipher eqinile + Ukuvuselelwa okuzenzakalelayo
  0% = Isitifiketi esiphelelwe or esikalwenqabe

Amaphutha avamile e-SSL:

1. Isitifiketi siphelelwe ngokungazi — Beka ukuholwa (Isinyathelo sesi-6) okungenani ezinsukwini eziyi-30 ngaphambi kokuphelelwa
2. Uchungechunge lwezisitifiketi olungaphelele — Iseva kufanele ithumele amakhadi amaphakathi, hhayi nje impophoma
3. Ukuhlanganiswa kwezinto — Iphepha le-HTTPS lila imithombo ye-HTTP (izithombe, izinhlelo, izitayela)
4. Imijikelezo yokudlulisa — I-HTTP → I-HTTPS → I-HTTP imijikelezo ebangelwa ukunqaba kwe- CDN/proxy
5. Ukuhlawulisa kwe-non-www vs www — Isitifiketi sihlinzeka ngelinye kodwa hhayi elinye

Ukwenza okuhle: Qhuba igama lakho lesizinda ku-SSL Labs (ssllabs.com/ssltest). Nanything engaphansi kwesilinganiso sokuthi "A" sinemikhawulo esebenziseka kahle. Iningi labaphakeli be-hosting lilungisa lezi ngekhiye elilodwa.

Izikhumbuzo Zokuphepha

Izikhumbuzo zokuphepha ziwumsebenzi we-HTTP owethula iziphequluli ukuthi kufanele zenzeni uma zidlula indawo yakho. Zivimbela izigaba ezinkulu zokuhlaselwa — futhi abadvoki be-Google bahlole lezi.

Izikhumbuzo zokuphepha ezisemqoka:

Umthethonqubo Wokuvikeleka Kokuqukethwe (CSP)

I-CSP iyisikhumbuzo sokuphepha esinamandla kakhulu. Ikhombisa iziphequluli ukuthi yimiphi imithombo (izinhlelo, isitayela, izithombe, amafomethi) evunyelwe ukukodwa eziphinjweni zakho.

Umthethonqubo Wokuvikeleka Kokuqukethwe: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Okukukhumbuza i-CSP:

• Ukuhlaselwa kwe-cross-site scripting (XSS)
• Ukuhlaselwa kokungena kwemiyalezo
• Ukujola (ngokusebenzisa i- frame-ancestors)
• Ukuqediwa kwezinhlelo ezingagunyaziwe (ama-cryptominers, abachazayo bephalamende)

Uhlelo lwe-CSP:

1. Qala nge- Content-Security-Policy-Report-Only (ubika ukwephula ngaphandle kokuvimba)
2. Buka amabhuku emihlangano izinsuku eziyi-1 kuya ku-2
3. Unikeze imithombo evumelekile
4. Shintshela kumode yokuphikisa
5. Engeza report-uri noma report-to yokuhlonza ukwephula okwakha

X-Frame-Options

Ivikela indawo yakho ekusebenzeni kuma-iframes kwezinye izikhala (ukuvikeleka kokujola).

X-Frame-Options: DENY

Noma uma kudingeka uvumele ukwakhiwa okufanayo:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ivikela iziphequluli ezivela kumime-type sniffing (ukuchaza amafayela njengemikhakha ehlukile kunezikhumbuzo).

X-Content-Type-Options: nosniff

Le line izovimbela ukuhlaselwa lapho ifayela le .jpg liqukethe i-JavaScript eyimfihlo esetshenziswa iziphequluli.

Referrer-Policy

Ilawule ukuthi zingaki izincwadi zokubuyisela ezithunyelwa ngesikhathi abasebenzisi behlola imilayezo kusuka endaweni yakho.

Referrer-Policy: strict-origin-when-cross-origin

Lokhu kuthumele i-URL ephelele kwezimali ezifanayo kodwa ibhalise inkulumo (isikhala) kumalungelo angaphandle. Kuqhuba izidingo zokuhlola ze-analytics futhi kuphephe.

Permissions-Policy

Ilawule ukuthi yiziphi izici zeziqephu (ikhamera, umsakazo, indawo, njll.) ezingasetshenziswa endaweni yakho.

Permissions-Policy: kamera=(), umsakazo=(), indawo=(), ukufaka=()

Ukukhansela izici ongazisebenzisi kuvimbela izinhlelo zangaphandle ekuzenzakaleni.

Isibonelo sokwakhiwa kwekhanda (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Ukubeka izikhumbuzo (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Ukubeka izikhumbuzo (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" sempre;

Ukwenza kahle: Engeza zonke izikhumbuzo ezi-5 ezingenhla kumphakeli wakho. Lokhu kuthatha imizuzu emihlanu futhi kuphinde kuthuthukise izinhlelo zakho zokuvikeleka kunoma iyiphi ithuluzi le-scan.

HSTS Preload

I-HTTP Strict Transport Security (HSTS) iyala iziphequluli ukuthi zisebenzise njalo i-HTTPS kulendawo yakho — ngisho nangaphambi kwesicelo sokuqala. Ngaphandle kwe-HSTS, ukuvakashelwa okokuqala endaweni yakho kungase kusebenzise i-HTTP (vulnerable to interception) ngaphambi kokudluliswa ku-HTTPS kwenzeka.

I-HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Izikhumbuzo ezintathu:

| Izikhumbuzo | Incazelo | |-----------|---------| | max-age=31536000 | Khumbula lokhu unyaka owodwa (ngemizuzwana) | | includeSubDomains | Faka kuzo zonke izigaba zamakhasi | | preload | Cela ukufakwa ohlwini lwezikhwama zeziphequluli |

Uhlu lwe-HSTS preload:

Ukuvikelwa okuphezulu kwe-HSTS. Iziphequluli ziza nohlu olwakhelwe ngaphakathi lwezindawo ezidinga ukusebenzisa i-HTTPS ngaso sonke isikhathi. Ukuhambisa igama lakho lesizinda ku-hstspreload.org kusho:

• Abavakashi besikhathi sokuqala bathola i-HTTPS ngokushesha (akukho ukujula kwe-HTTP → HTTPS)
• Kungenakwenzeka ukuhlaselwa kukahulumeni okuphakanyiswe
• Ukuvikeleka kwephakade (kunzima ukukhipha uma sekufakiwe)

Izidingo ze-HSTS preload:

1. Isitifiketi se-HTTPS esivumelekile
2. Qhuba konke i-HTTP ku-HTTPS (kuze kube nezigaba)
3. I-hsts header enezinga elikhulu >= 31536000
4. I-hsts header ihlanganisa includeSubDomains
5. I-hsts header ihlanganisa preload
6. Zonke izigaba kufanele zixhase i-HTTPS

Isixwayiso: Thumela ku-preload kuphela uma zonke izigaba zakho zixhase i-HTTPS. I- includeSubDomains ituswa yaphoqa ukuthi noma yisiphi isizinda esiqondile se-HTTP sizovinjwa.

Ukwenza kahle: Uma usuvele une-HTTPS kuzo zonke izigaba, engeza i-header ye-HSTS ephelele bese uthumela ku-hstspreload.org. Ukuphendulwa kuthatha izinsuku ezimbalwa kodwa ukuvikeleka kuhlala kuqhubeka.

Ukuhlolwa Kokwephula

Ukuhlolwa kokwephula okuzenzakalelayo kuthola izinkinga zokuphepha ezaziwa ku-stack yakho ngaphambi kokuhlaselwa kwabahlaseli.

Okutholakalayo kokuhlola ukwephula:

• Isofthiwe engaphelelwe: I-WordPress, ama-plug-in, izincwadi ze-JavaScript ezinezi-CVE ezaziwayo
• Amakhasi avulekile: .env, .git, wp-config.php, amakhophi edatha
• Ukuvuza kwemininingwane: Amakhasi wersiyativi, imodi yokwenza, izimpawu ze-stack
• Izakhamizi ezijwayelekile: Amakhasi okwaba aprege nomswanik, amaphasiwedi ajwayelekile
• Izikhala ezivuliwe/izinsiza: Izinsiza ezingasafuneki ezitholakala ku-internet
• Amaphuzu okujola: Amafomu angenakho ukuvikelwa kwe-CSRF, ukufaka okungafunwa

Izinhlayiya ezivamile ze-vulnerability ngepaltform:

| IPlatform | Ithuba Lokwephula Eliphakeme | Ukulungisa | |-----------|-------------------------------|-----------| | I-WordPress | Ama-plug-in angaphelelwe | Ukuvuselelwa okuzenzakalelayo + WAF | | I-Shopify | Okuhlinzekwa kwehlelo lwesithathu | Qhuba uhlu lwe apps ngeminyaka emithathu | | I-Next.js | Izindlela ze-API ezivulelekile | I-middleware ye-Auth + ukulinganisa izinga | | Izindawo ezi-static | Ukulungiswa kwe-CDN | Bheka imithetho ye-cache | | Okukhethekile | I-SQL injection | Ukuhlela izicelo |

Izikhathi zokuhlola:

• Nsuku zonke: Ukuhlolwa kwe-surface okuzenzakalelayo (SSL, izikhumbuzo, amakhasi avulekile)
• Ngesonto: Ukuhlola ukwephula kwemithombo (npm audit, i-WordPress plugin scanner)
• Ngawe-nyanga: Ukuhlolwa okujulile okuqhubekayo
• Ngemuva kwayo yonke ukusebenzisa: Ukuhlolwa kwe-regression

Ukwenza kahle: Qhuba npm audit (Node.js) noma hlola uhlu lwe-plugin lwe-CMS yakho ukuze uthole izingxenye eziphumelelayo. Lulungisa izinkinga eziphuthumayo/eziphakeme ngokushesha.

Ukuhlanganiswa Kwezinqumo

Ukuhlanganiswa kwezinto kwenzeka uma ikhasi le-HTTPS lila imithombo (izithombe, izinhlelo, izitayela, ama-iframes) nge-HTTP. Lokhu kuphula kancane ukuphikiswa futhi kube nomphumela wokwenza izixwayiso eziphequluli.

Izinhlobo zokuqukethwe okuxubile:

| Ihlobo | Ububanzi | Isibonelo | Iziphequluli Zisebenze | |--------|----------|-----------|------------------------| | Okusebenzayo | Okuphakeme | Isigaba se-HTTP, iframe, CSS | Iphikiswa ngokujwayelekile | | Okulinganiselwe | Okwesigaba | Isithombe se-HTTP, ividiyo, umsindo | Ivalwe kodwa ibhalwe |

Okuxubile okusebenzayo kuvimbela iziphequluli ezithuthukisiwe — kusho ukuthi izinhlelo zakho nezitayela ngeke zikhonziswe. Okuxubile okulinganiselwe kuyavula kodwa kubonisa izexwayiso zokuphepha.

Ukuhlola ukuhlanganiswa kwezinto:

1. Vula i-Chrome DevTools → I-Console
2. Bheka izexwayiso ze-"Mixed Content"
3. Kungenjalo, hlola uhlelo lokuhamba (Screaming Frog, LANGR)

Imithombo evamile yokuhlanganiswa kwezinto:

• I-URL ethintekile ku-http:// okuqukethwe (izikhombisi, izincazelo zomkhiqizo)
• Amakatheku akwenziwe angaphemu ukulayisha imithombo ye-HTTP
• Okuqukethwe okuhlanganisiwe (ukugxalwa kwe-YouTube, ukwaziswa kwezentlalo)
• I-CSS background-image enezi-HTTP URLs
• Amafomu alayishwe nge-HTTP

Ukulungiswa kwe-mixed content:

<!-- Kubi -->
<img src="http://example.com/image.jpg" />

<!-- Kulungile -->
<img src="https://example.com/image.jpg" />

<!-- Okuhle (ukuhluka kwephrothokholi, kulungisa ukuxhaswa kwephrothokholi ye-phepha) -->
<img src="//example.com/image.jpg" />

Ukulungiswa kwe-database (i-WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Ukwenza kahle: Vula ikhasi lakho lasekhaya ku-Chrome, cindezela u-F12, hlola ithebhu ye-Console ukuze uthole izexwayiso zokuhlanganiswa kwezinto. Lungisa zonke ezibhalwe ubukhona — lezi zingeze zaziwa ngqo ku-Google.

Izingozi Zezinhlelo Zangaphandle

Noma yisiphi isimemezelo esivulelekile okukhona ingozi yokuphepha (nokusebenza). Izinhlelo zangaphandle zingaba:

• Zishintshwe (ukuhlaselwa kwe-supply chain)
• Zilande abasebenzisi bakho ngaphandle kwengcwephe (ukwephula i-GDPR)
• Zinciphisa indawo yakho (ukuphazamiseka, izikhathi zokusebenza)
• Ziphule ukusebenza (ukuvuselelwa kwemidvwe, izinkinga)
• Zifake okuqukethwe okungafuneki (ama-skripthi ezikhangiso eziphukile)

Hlola izinhlelo zakho zangaphandle:

| Isimemezelo | Kubalulekile? | Izinga Lengozi | Esikhaleni | |-------------|----------------|----------------|------------| | I-Google Analytics | Njalo | Okuphansi | Ukwenziwe ku-server | | Amawidget ezokuxhumana | Kungenzeka | Okwesigaba | Izixazululo ezizibambile | | Izinkinobho zokwabelana ngemidiya | Ngokuvamile | Okwesigaba | Izixhumanisi ezizithile | | Ukuhlola ukuxhumana | Kungenzeka | Okuphakeme | Ukuhlola ku-server | | Mapharamitha echo pixels | Isinqumo sebhizinisi | Okuphakeme | Idatha yokuqala | | I-CDNs yeFont | Kulula | Okuphansi | Amathamba wokwakha |

Izinyathelo zokunciphisisa ingozi yezinhlelo zangaphandle ezibalulekile:

1. Ukuphepha KweSubresource (SRI): Ukuqinisekiswa kwe-hash kuvimbela ama-skripthi aphumeletheki kumphakathi

<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>

1. Imikhawulo ye-CSP: Vumela kuphela ama-skripthi avela ezindaweni ezaziwayo
2. Izikhala ezisizayo: Qhubekisa ama-widget angaphandle
3. Ukuhlolwa okujwayelekile: Ukubuka njalo kweziqu eziphethe
4. Ukuqapha: Vusa ngemiphakathi ephezulu evele ezindaweni zakho

Ukwenza kahle: Bhalisela zonke izimpawu