{"id":2499,"date":"2025-11-25T12:56:59","date_gmt":"2025-11-25T09:56:59","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/full-https-migration-guide-301-redirects-hsts-and-zero%e2%80%91loss-seo\/"},"modified":"2025-11-25T12:56:59","modified_gmt":"2025-11-25T09:56:59","slug":"full-https-migration-guide-301-redirects-hsts-and-zero%e2%80%91loss-seo","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/en\/full-https-migration-guide-301-redirects-hsts-and-zero%e2%80%91loss-seo\/","title":{"rendered":"Full HTTPS Migration Guide: 301 Redirects, HSTS and Zero\u2011Loss SEO"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>Moving a site to HTTPS used to feel risky: horror stories about traffic drops, broken redirects and mysterious \u201cmixed content\u201d warnings scared a lot of teams into postponing SSL for years. Today, search engines expect secure sites by default, browsers label plain HTTP as \u201cNot secure\u201d, and users are less willing than ever to type card or login details into an unencrypted page. The good news: if you plan your migration carefully, you can enable SSL, enforce HTTPS and even add HSTS without losing rankings or breaking your analytics. In this guide, we\u2019ll walk through the exact steps we use at dchost.com when moving customer projects fully to HTTPS: from choosing a certificate and configuring redirects, to setting HSTS headers, fixing mixed content and managing SEO details like sitemaps and canonicals. You\u2019ll finish with a practical checklist you can apply on shared hosting, <a href=\"https:\/\/www.dchost.com\/vps\">VPS<\/a>, <a href=\"https:\/\/www.dchost.com\/dedicated-server\">dedicated server<\/a>s or colocation \u2013 and a clear path to zero\u2011loss SEO.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Why_a_Full_HTTPS_Migration_Matters_for_Security_SEO_and_UX\"><span class=\"toc_number toc_depth_1\">1<\/span> Why a Full HTTPS Migration Matters for Security, SEO and UX<\/a><ul><li><a href=\"#HTTPS_is_no_longer_optional\"><span class=\"toc_number toc_depth_2\">1.1<\/span> HTTPS is no longer optional<\/a><\/li><li><a href=\"#Search_engines_explicitly_prefer_HTTPS\"><span class=\"toc_number toc_depth_2\">1.2<\/span> Search engines explicitly prefer HTTPS<\/a><\/li><\/ul><\/li><li><a href=\"#PreMigration_Checklist_Get_Your_Infrastructure_and_SSL_Ready\"><span class=\"toc_number toc_depth_1\">2<\/span> Pre\u2011Migration Checklist: Get Your Infrastructure and SSL Ready<\/a><ul><li><a href=\"#1_Choose_the_right_type_of_SSL_certificate\"><span class=\"toc_number toc_depth_2\">2.1<\/span> 1. Choose the right type of SSL certificate<\/a><\/li><li><a href=\"#2_Confirm_TLS_and_HTTP23_support_on_your_server\"><span class=\"toc_number toc_depth_2\">2.2<\/span> 2. Confirm TLS and HTTP\/2\/3 support on your server<\/a><\/li><li><a href=\"#3_Decide_your_canonical_host_pattern\"><span class=\"toc_number toc_depth_2\">2.3<\/span> 3. Decide your \u201ccanonical\u201d host pattern<\/a><\/li><li><a href=\"#4_Snapshot_your_current_SEO_state\"><span class=\"toc_number toc_depth_2\">2.4<\/span> 4. Snapshot your current SEO state<\/a><\/li><\/ul><\/li><li><a href=\"#301_Redirects_The_Backbone_of_a_Clean_HTTPS_Migration\"><span class=\"toc_number toc_depth_1\">3<\/span> 301 Redirects: The Backbone of a Clean HTTPS Migration<\/a><ul><li><a href=\"#Why_301_permanent_redirects_are_critical\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Why 301 (permanent) redirects are critical<\/a><\/li><li><a href=\"#Canonical_mapping_strategy\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Canonical mapping strategy<\/a><\/li><li><a href=\"#Global_HTTP_HTTPS_redirect_on_Apache_htaccess\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Global HTTP \u2192 HTTPS redirect on Apache (.htaccess)<\/a><\/li><li><a href=\"#Global_HTTP_HTTPS_redirect_on_Nginx\"><span class=\"toc_number toc_depth_2\">3.4<\/span> Global HTTP \u2192 HTTPS redirect on Nginx<\/a><\/li><li><a href=\"#Avoid_redirect_chains_and_loops\"><span class=\"toc_number toc_depth_2\">3.5<\/span> Avoid redirect chains and loops<\/a><\/li><\/ul><\/li><li><a href=\"#HSTS_Locking_in_HTTPS_and_When_to_Be_Careful\"><span class=\"toc_number toc_depth_1\">4<\/span> HSTS: Locking in HTTPS (and When to Be Careful)<\/a><ul><li><a href=\"#What_HSTS_actually_does\"><span class=\"toc_number toc_depth_2\">4.1<\/span> What HSTS actually does<\/a><\/li><li><a href=\"#Basic_HSTS_configuration\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Basic HSTS configuration<\/a><\/li><li><a href=\"#Roll_out_HSTS_in_stages\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Roll out HSTS in stages<\/a><\/li><\/ul><\/li><li><a href=\"#ZeroLoss_SEO_How_to_Tell_Search_Engines_About_Your_HTTPS_Move\"><span class=\"toc_number toc_depth_1\">5<\/span> Zero\u2011Loss SEO: How to Tell Search Engines About Your HTTPS Move<\/a><ul><li><a href=\"#1_Update_canonical_tags\"><span class=\"toc_number toc_depth_2\">5.1<\/span> 1. Update canonical tags<\/a><\/li><li><a href=\"#2_Regenerate_XML_sitemaps_with_HTTPS_URLs\"><span class=\"toc_number toc_depth_2\">5.2<\/span> 2. Regenerate XML sitemaps with HTTPS URLs<\/a><\/li><li><a href=\"#3_Update_hreflang_and_structured_data\"><span class=\"toc_number toc_depth_2\">5.3<\/span> 3. Update hreflang and structured data<\/a><\/li><li><a href=\"#4_Search_Console_and_analytics_updates\"><span class=\"toc_number toc_depth_2\">5.4<\/span> 4. Search Console and analytics updates<\/a><\/li><li><a href=\"#5_External_links_embeds_and_CDNs\"><span class=\"toc_number toc_depth_2\">5.5<\/span> 5. External links, embeds and CDNs<\/a><\/li><\/ul><\/li><li><a href=\"#Mixed_Content_Fixing_the_Not_Secure_Padlock_After_Migration\"><span class=\"toc_number toc_depth_1\">6<\/span> Mixed Content: Fixing the \u201cNot Secure\u201d Padlock After Migration<\/a><ul><li><a href=\"#What_is_mixed_content\"><span class=\"toc_number toc_depth_2\">6.1<\/span> What is mixed content?<\/a><\/li><li><a href=\"#How_to_detect_mixed_content\"><span class=\"toc_number toc_depth_2\">6.2<\/span> How to detect mixed content<\/a><\/li><li><a href=\"#Fixing_mixed_content_in_code_and_databases\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Fixing mixed content in code and databases<\/a><\/li><li><a href=\"#Why_mixed_content_matters_for_SEO\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Why mixed content matters for SEO<\/a><\/li><\/ul><\/li><li><a href=\"#StepByStep_HTTPS_Migration_Runbook\"><span class=\"toc_number toc_depth_1\">7<\/span> Step\u2011By\u2011Step HTTPS Migration Runbook<\/a><ul><li><a href=\"#Step_1_Prepare_in_a_staging_or_test_environment\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Step 1: Prepare in a staging or test environment<\/a><\/li><li><a href=\"#Step_2_Enable_HTTPS_on_production_without_redirects_yet\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Step 2: Enable HTTPS on production (without redirects yet)<\/a><\/li><li><a href=\"#Step_3_Switch_internal_links_to_HTTPS\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Step 3: Switch internal links to HTTPS<\/a><\/li><li><a href=\"#Step_4_Turn_on_global_301_redirects_from_HTTP_HTTPS\"><span class=\"toc_number toc_depth_2\">7.4<\/span> Step 4: Turn on global 301 redirects from HTTP \u2192 HTTPS<\/a><\/li><li><a href=\"#Step_5_Add_HSTS_gradually\"><span class=\"toc_number toc_depth_2\">7.5<\/span> Step 5: Add HSTS (gradually)<\/a><\/li><li><a href=\"#Step_6_Notify_search_engines_and_monitor\"><span class=\"toc_number toc_depth_2\">7.6<\/span> Step 6: Notify search engines and monitor<\/a><\/li><\/ul><\/li><li><a href=\"#Common_Pitfalls_and_How_to_Avoid_Them\"><span class=\"toc_number toc_depth_1\">8<\/span> Common Pitfalls and How to Avoid Them<\/a><ul><li><a href=\"#1_Forgetting_secondary_hostnames_and_subdomains\"><span class=\"toc_number toc_depth_2\">8.1<\/span> 1. Forgetting secondary hostnames and subdomains<\/a><\/li><li><a href=\"#2_Redirecting_everything_to_the_homepage\"><span class=\"toc_number toc_depth_2\">8.2<\/span> 2. Redirecting everything to the homepage<\/a><\/li><li><a href=\"#3_Shortlived_or_inconsistent_redirects\"><span class=\"toc_number toc_depth_2\">8.3<\/span> 3. Short\u2011lived or inconsistent redirects<\/a><\/li><li><a href=\"#4_Ignoring_performance_impact\"><span class=\"toc_number toc_depth_2\">8.4<\/span> 4. Ignoring performance impact<\/a><\/li><\/ul><\/li><li><a href=\"#Wrapping_Up_A_Calm_Path_to_HTTPS_with_301s_HSTS_and_SEO_Intact\"><span class=\"toc_number toc_depth_1\">9<\/span> Wrapping Up: A Calm Path to HTTPS with 301s, HSTS and SEO Intact<\/a><\/li><\/ul><\/div>\n<h2><span id=\"Why_a_Full_HTTPS_Migration_Matters_for_Security_SEO_and_UX\">Why a Full HTTPS Migration Matters for Security, SEO and UX<\/span><\/h2>\n<h3><span id=\"HTTPS_is_no_longer_optional\">HTTPS is no longer optional<\/span><\/h3>\n<p>HTTPS is the secure version of HTTP. It uses TLS (often still called SSL) to encrypt traffic between browser and server. That protects login details, payment information and any other data users submit on your site.<\/p>\n<p>Modern browsers now:<\/p>\n<ul>\n<li>Show a <strong>\u201cNot secure\u201d<\/strong> label for HTTP pages, especially when forms are present.<\/li>\n<li>Block some powerful features (like geolocation or some APIs) on non\u2011HTTPS sites.<\/li>\n<li>Warn loudly when HTTPS pages include insecure assets (mixed content).<\/li>\n<\/ul>\n<h3><span id=\"Search_engines_explicitly_prefer_HTTPS\">Search engines explicitly prefer HTTPS<\/span><\/h3>\n<p>HTTPS is a known ranking signal. It\u2019s not the single deciding factor, but when everything else is equal, a secure site can get a small boost over an insecure one. More importantly, HTTPS improves:<\/p>\n<ul>\n<li><strong>User trust<\/strong>: higher click\u2011through and conversion rates.<\/li>\n<li><strong>Data accuracy<\/strong>: referrer data is preserved more reliably when going from HTTPS to HTTPS.<\/li>\n<li><strong>Compliance<\/strong>: some regulations and payment standards (like PCI\u2011DSS) strongly expect encrypted traffic.<\/li>\n<\/ul>\n<p>We have already written about <a href=\"https:\/\/www.dchost.com\/blog\/en\/what-is-an-ssl-certificate-secure-your-website\/\">what an SSL certificate is and how it secures your website<\/a>. This article takes the next step: how to migrate everything to HTTPS without SEO or usability pain.<\/p>\n<h2><span id=\"PreMigration_Checklist_Get_Your_Infrastructure_and_SSL_Ready\">Pre\u2011Migration Checklist: Get Your Infrastructure and SSL Ready<\/span><\/h2>\n<h3><span id=\"1_Choose_the_right_type_of_SSL_certificate\">1. Choose the right type of <a href=\"https:\/\/www.dchost.com\/ssl\">SSL certificate<\/a><\/span><\/h3>\n<p>Before touching redirects or HSTS, make sure you have the right certificate in place. In summary, you\u2019ll choose between:<\/p>\n<ul>\n<li><strong>DV (Domain Validation)<\/strong>: fast, automated, ideal for blogs, content sites, most SMB websites.<\/li>\n<li><strong>OV (Organization Validation)<\/strong>: shows validated company information; useful for B2B and brand\u2011sensitive sites.<\/li>\n<li><strong>EV (Extended Validation)<\/strong>: stricter vetting, still preferred by some financial and enterprise organizations.<\/li>\n<li><strong>Wildcard<\/strong> vs <strong>single\u2011domain<\/strong>: wildcard covers <code>*.example.com<\/code>; single\u2011domain covers a specific hostname.<\/li>\n<\/ul>\n<p>If you\u2019re unsure which one fits your use case, we\u2019ve compared the options in detail in <a href=\"https:\/\/www.dchost.com\/blog\/en\/dv-ov-ev-ve-wildcard-ssl-arasinda-kaybolmadan-e%e2%80%91ticaret-ve-saaste-hangi-sertifika-ne-zaman\/\">our guide to choosing between DV, OV, EV and Wildcard SSL for e\u2011commerce and SaaS<\/a>.<\/p>\n<p>On dchost.com infrastructure (shared hosting, VPS, dedicated servers and colocation), you can use both free certificates (like Let\u2019s Encrypt via ACME) and commercial SSL. For many sites, automated DV with auto\u2011renewal is perfectly fine; for bigger brands, OV\/EV can make sense.<\/p>\n<h3><span id=\"2_Confirm_TLS_and_HTTP23_support_on_your_server\">2. Confirm TLS and HTTP\/2\/3 support on your server<\/span><\/h3>\n<p>A modern HTTPS migration shouldn\u2019t just be \u201cadd a certificate\u201d. You also want:<\/p>\n<ul>\n<li><strong>TLS 1.2 and 1.3<\/strong> enabled, with older, insecure protocols (TLS 1.0\/1.1, SSLv3) disabled.<\/li>\n<li><strong>HTTP\/2<\/strong> and ideally <strong>HTTP\/3 (QUIC)<\/strong> for better performance.<\/li>\n<\/ul>\n<p>On a VPS or dedicated server, you\u2019ll configure this in Nginx, Apache or your chosen web server. If you want a deeper dive, our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/tls-1-3-ve-modern-sifrelerin-sicacik-mutfagi-nginx-apachede-ocsp-stapling-hsts-preload-ve-pfs-nasil-kurulur\/\">on TLS 1.3, OCSP stapling and HSTS on Nginx\/Apache<\/a> walks through real\u2011world configurations. We also have an <a href=\"https:\/\/www.dchost.com\/blog\/en\/nginx-ve-cloudflareda-http-2-ve-http-3-quic-nasil-etkinlestirilir-wordpress-icin-uctan-uca-kurulum-ve-test-rehberi\/\">end\u2011to\u2011end guide to enabling HTTP\/2 and HTTP\/3 on Nginx plus Cloudflare<\/a> if you are using a CDN.<\/p>\n<h3><span id=\"3_Decide_your_canonical_host_pattern\">3. Decide your \u201ccanonical\u201d host pattern<\/span><\/h3>\n<p>Before building redirects, make a final decision on your canonical URL scheme. For example:<\/p>\n<ul>\n<li><code>https:\/\/example.com\/<\/code>  (no <code>www<\/code>)<\/li>\n<li><code>https:\/\/www.example.com\/<\/code> (with <code>www<\/code>)<\/li>\n<\/ul>\n<p>Pick one, and plan to redirect everything else to that pattern with a <strong>301 status code<\/strong>. This includes:<\/p>\n<ul>\n<li><code>http:\/\/example.com<\/code> \u2192 <code>https:\/\/example.com<\/code> (or <code>https:\/\/www.example.com<\/code>)<\/li>\n<li><code>http:\/\/www.example.com<\/code> \u2192 <code>https:\/\/example.com<\/code> (or your choice)<\/li>\n<\/ul>\n<p>Clear canonicalization avoids duplicate content and makes your redirect rules simpler.<\/p>\n<h3><span id=\"4_Snapshot_your_current_SEO_state\">4. Snapshot your current SEO state<\/span><\/h3>\n<p>Before migration, take a snapshot of:<\/p>\n<ul>\n<li>Current <strong>organic traffic<\/strong> and top landing pages.<\/li>\n<li>Existing <strong>XML sitemaps<\/strong> and <strong>robots.txt<\/strong>.<\/li>\n<li><strong>Canonical tags<\/strong>, <strong>hreflang<\/strong> and structured data (if used).<\/li>\n<\/ul>\n<p>This gives you a baseline. Our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/alan-adi-degistirirken-seo-kaybetmemek\/\">on changing a domain without losing SEO<\/a> uses the same principle: know what you have, then migrate methodically. Moving from HTTP to HTTPS is simpler than a domain change, but many of the SEO patterns are identical.<\/p>\n<h2><span id=\"301_Redirects_The_Backbone_of_a_Clean_HTTPS_Migration\">301 Redirects: The Backbone of a Clean HTTPS Migration<\/span><\/h2>\n<h3><span id=\"Why_301_permanent_redirects_are_critical\">Why 301 (permanent) redirects are critical<\/span><\/h3>\n<p>A <strong>301 redirect<\/strong> tells browsers and search engines that a URL has permanently moved. Link equity (PageRank) is passed to the new URL, and over time, search results update to the new destination.<\/p>\n<p>For an HTTPS migration, you want <strong>all HTTP URLs<\/strong> to respond with a 301 to their <strong>exact HTTPS equivalents<\/strong>. That includes:<\/p>\n<ul>\n<li>All pages and posts.<\/li>\n<li>Static assets if served on the same host (images, CSS, JS).<\/li>\n<li>Any alternate hosts (www vs non\u2011www, old subdomains) you are consolidating.<\/li>\n<\/ul>\n<p>A 302 (temporary) redirect tells search engines not to update their indexes permanently. Using 302s for an HTTPS migration can cause search engines to keep your HTTP URLs in the index longer than necessary.<\/p>\n<p>If you want a refresher on status codes, see <a href=\"https:\/\/www.dchost.com\/blog\/en\/http-durum-kodlari-seo-ve-hosting-icin-301-302-404-410-ve-5xx-rehberi\/\">our guide to what HTTP status codes mean for SEO and hosting<\/a>.<\/p>\n<h3><span id=\"Canonical_mapping_strategy\">Canonical mapping strategy<\/span><\/h3>\n<p>Before writing rules, check if any URLs are changing beyond \u201chttp \u2192 https\u201d. Examples:<\/p>\n<ul>\n<li>Switching from <code>http:\/\/example.com<\/code> to <code>https:\/\/www.example.com<\/code>.<\/li>\n<li>Cleaning up old paths like <code>\/index.php<\/code> \u2192 <code>\/<\/code>.<\/li>\n<\/ul>\n<p>For minor path adjustments, use <strong>individual redirect rules<\/strong> on top of your global \u201chttp \u2192 https\u201d redirect. Document these in a migration sheet so you can debug later if a specific page loses traffic.<\/p>\n<h3><span id=\"Global_HTTP_HTTPS_redirect_on_Apache_htaccess\">Global HTTP \u2192 HTTPS redirect on Apache (.htaccess)<\/span><\/h3>\n<p>For many shared hosting environments, you will set this in <code>.htaccess<\/code> in your document root. A common pattern to force HTTPS and one host (e.g. <code>www<\/code>) is:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">RewriteEngine On\n\n# Force www\nRewriteCond %{HTTP_HOST} !^www.example.com$ [NC]\nRewriteRule ^(.*)$ https:\/\/www.example.com\/$1 [L,R=301]\n\n# Force HTTPS\nRewriteCond %{HTTPS} !=on\nRewriteRule ^(.*)$ https:\/\/www.example.com\/$1 [L,R=301]\n<\/code><\/pre>\n<p>Adjust the hostname to your canonical choice. Place these rules before other rewrites to avoid redirect chains (e.g. http \u2192 https \u2192 www \u2192 final URL). Aim for a <strong>single redirect hop<\/strong> whenever possible.<\/p>\n<h3><span id=\"Global_HTTP_HTTPS_redirect_on_Nginx\">Global HTTP \u2192 HTTPS redirect on Nginx<\/span><\/h3>\n<p>On Nginx, the cleanest approach is to have a separate server block for HTTP that only does redirects:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 80;\n    listen [::]:80;\n    server_name example.com www.example.com;\n\n    return 301 https:\/\/www.example.com$request_uri;\n}\n<\/code><\/pre>\n<p>Then in your HTTPS server block:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    listen [::]:443 ssl http2;\n    server_name www.example.com;\n\n    # SSL \/ TLS config here\n    # root, index, etc.\n}\n<\/code><\/pre>\n<p>This ensures all HTTP requests are upgraded to HTTPS in a single step.<\/p>\n<h3><span id=\"Avoid_redirect_chains_and_loops\">Avoid redirect chains and loops<\/span><\/h3>\n<p>Common redirect mistakes during HTTPS migrations include:<\/p>\n<ul>\n<li><strong>Chains<\/strong>: <code>http:\/\/example.com<\/code> \u2192 <code>http:\/\/www.example.com<\/code> \u2192 <code>https:\/\/www.example.com<\/code>.<\/li>\n<li><strong>Loops<\/strong>: rules that conditionally redirect back and forth between URLs.<\/li>\n<\/ul>\n<p>Use tools like browser dev tools (Network tab) or <code>curl -I<\/code> to confirm that:<\/p>\n<ul>\n<li>Each HTTP URL returns <strong>301<\/strong> once and lands on the correct HTTPS URL.<\/li>\n<li>Canonical HTTPS URLs do <strong>not<\/strong> redirect further.<\/li>\n<\/ul>\n<h2><span id=\"HSTS_Locking_in_HTTPS_and_When_to_Be_Careful\">HSTS: Locking in HTTPS (and When to Be Careful)<\/span><\/h2>\n<h3><span id=\"What_HSTS_actually_does\">What HSTS actually does<\/span><\/h3>\n<p><strong>HSTS (HTTP Strict Transport Security)<\/strong> is an HTTP response header that tells browsers: \u201cFor this domain, only use HTTPS for a given time period.\u201d Once a browser sees this header, it will:<\/p>\n<ul>\n<li>Refuse to send plain HTTP requests to the domain.<\/li>\n<li>Upgrade any manual <code>http:\/\/<\/code> URL typed by the user to HTTPS before sending.<\/li>\n<\/ul>\n<p>This prevents some downgrade and cookie\u2011theft attacks and speeds up subsequent visits by skipping the HTTP \u2192 HTTPS redirect round\u2011trip.<\/p>\n<h3><span id=\"Basic_HSTS_configuration\">Basic HSTS configuration<\/span><\/h3>\n<p>An example HSTS header looks like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Strict-Transport-Security: max-age=63072000; includeSubDomains; preload\n<\/code><\/pre>\n<p>Meaning:<\/p>\n<ul>\n<li><strong>max-age<\/strong>: how long (in seconds) the browser should remember to enforce HTTPS (here: 2 years).<\/li>\n<li><strong>includeSubDomains<\/strong>: also enforce HTTPS on all subdomains.<\/li>\n<li><strong>preload<\/strong>: signals your intent to be added to browser preload lists.<\/li>\n<\/ul>\n<p>On Apache, you can add:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot;\n<\/code><\/pre>\n<p>On Nginx:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;\n<\/code><\/pre>\n<h3><span id=\"Roll_out_HSTS_in_stages\">Roll out HSTS in stages<\/span><\/h3>\n<p>Because HSTS is cached by browsers, a mistake can lock you into HTTPS before every subdomain is fully ready. A safer rollout pattern is:<\/p>\n<ol>\n<li>Start with <code>max-age=300<\/code> (5 minutes), no <code>includeSubDomains<\/code>, no <code>preload<\/code>.<\/li>\n<li>Watch logs and error reports. Fix any mixed content or subdomain issues.<\/li>\n<li>Increase to <code>max-age=86400<\/code> (1 day), then to 1 month, then 1 year once stable.<\/li>\n<li>Only add <code>includeSubDomains<\/code> when ALL subdomains are HTTPS\u2011ready.<\/li>\n<li>Only add <code>preload<\/code> when you\u2019re comfortable being locked into HTTPS long\u2011term.<\/li>\n<\/ol>\n<p>We explain HSTS and other security headers in more detail in <a href=\"https:\/\/www.dchost.com\/blog\/en\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/\">our friendly guide to HTTP security headers<\/a>.<\/p>\n<h2><span id=\"ZeroLoss_SEO_How_to_Tell_Search_Engines_About_Your_HTTPS_Move\">Zero\u2011Loss SEO: How to Tell Search Engines About Your HTTPS Move<\/span><\/h2>\n<h3><span id=\"1_Update_canonical_tags\">1. Update canonical tags<\/span><\/h3>\n<p>If your site uses <code>&lt;link rel=\"canonical\"&gt;<\/code> tags, they must now point to the HTTPS version of each URL. For example:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;link rel=&quot;canonical&quot; href=&quot;https:\/\/www.example.com\/my-article\/&quot;&gt;\n<\/code><\/pre>\n<p>Check a sample of key pages (home, category, product, blog) to verify canonicals are correct and consistent with your redirect rules and sitemaps.<\/p>\n<h3><span id=\"2_Regenerate_XML_sitemaps_with_HTTPS_URLs\">2. Regenerate XML sitemaps with HTTPS URLs<\/span><\/h3>\n<p>Most CMSs and SEO plugins will regenerate sitemaps automatically once the site URL is updated. Confirm that:<\/p>\n<ul>\n<li>All <code>&lt;loc&gt;<\/code> entries use <strong>HTTPS<\/strong>.<\/li>\n<li>You only list your <strong>canonical host<\/strong> (e.g. <code>https:\/\/www.example.com<\/code>), not both www and non\u2011www.<\/li>\n<\/ul>\n<p>Then update the sitemap locations referenced in your <code>robots.txt<\/code> to point to the HTTPS versions.<\/p>\n<h3><span id=\"3_Update_hreflang_and_structured_data\">3. Update hreflang and structured data<\/span><\/h3>\n<p>For multilingual sites using <code>hreflang<\/code>, each language\/country URL must now be HTTPS and match the canonical. Example:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;link rel=&quot;alternate&quot; href=&quot;https:\/\/www.example.com\/&quot; hreflang=&quot;en&quot; \/&gt;\n&lt;link rel=&quot;alternate&quot; href=&quot;https:\/\/www.example.com\/tr\/&quot; hreflang=&quot;tr&quot; \/&gt;\n<\/code><\/pre>\n<p>Likewise, structured data (JSON\u2011LD) should reference HTTPS URLs for <code>url<\/code>, <code>image<\/code>, <code>logo<\/code>, and <code>sameAs<\/code> fields where appropriate.<\/p>\n<h3><span id=\"4_Search_Console_and_analytics_updates\">4. Search Console and analytics updates<\/span><\/h3>\n<p>In Google Search Console, add and verify your <strong>HTTPS property<\/strong> (for both the canonical host and any variants you still use). Then:<\/p>\n<ul>\n<li>Resubmit your HTTPS sitemaps.<\/li>\n<li>Monitor indexing status and crawl errors.<\/li>\n<\/ul>\n<p>In your analytics tool, make sure the <strong>default URL<\/strong> and any <strong>filters<\/strong> reflect the HTTPS version, so reports don\u2019t split traffic between HTTP and HTTPS.<\/p>\n<h3><span id=\"5_External_links_embeds_and_CDNs\">5. External links, embeds and CDNs<\/span><\/h3>\n<p>While 301 redirects will catch most external HTTP links, it\u2019s still worth updating critical ones:<\/p>\n<ul>\n<li>Update links in social profiles, email signatures and major referral sites to use HTTPS.<\/li>\n<li>Ensure external scripts, fonts and iframes you embed support HTTPS.<\/li>\n<li>Update any image or asset URLs in your CDN configuration to HTTPS.<\/li>\n<\/ul>\n<p>These steps reduce reliance on redirects and improve performance.<\/p>\n<h2><span id=\"Mixed_Content_Fixing_the_Not_Secure_Padlock_After_Migration\">Mixed Content: Fixing the \u201cNot Secure\u201d Padlock After Migration<\/span><\/h2>\n<h3><span id=\"What_is_mixed_content\">What is mixed content?<\/span><\/h3>\n<p><strong>Mixed content<\/strong> happens when an HTTPS page loads some assets (images, CSS, JS, iframes) over plain HTTP. Browsers react by:<\/p>\n<ul>\n<li>Blocking active mixed content (scripts, iframes, some styles).<\/li>\n<li>Showing warnings for passive mixed content (images, videos, audio).<\/li>\n<\/ul>\n<p>This breaks the green padlock and can cause layout or functionality issues. During HTTPS migrations, mixed content is the most common reason people think \u201cSSL is breaking my site\u201d. In reality, the migration just revealed hard\u2011coded HTTP links.<\/p>\n<h3><span id=\"How_to_detect_mixed_content\">How to detect mixed content<\/span><\/h3>\n<p>Use browser developer tools (Console tab) to see mixed content warnings. You can also run automated checks with online scanners or crawlers.<\/p>\n<p>We covered typical browser warnings and fixes in <a href=\"https:\/\/www.dchost.com\/blog\/en\/ssl-sertifika-hatalari-rehberi-mixed-content-not-secure-ve-tarayici-uyarilarini-hosting-tarafinda-cozmek\/\">our guide to fixing common SSL certificate errors, mixed content and \u201cNot secure\u201d alerts<\/a>. The same techniques apply here.<\/p>\n<h3><span id=\"Fixing_mixed_content_in_code_and_databases\">Fixing mixed content in code and databases<\/span><\/h3>\n<p>Common sources of mixed content include:<\/p>\n<ul>\n<li>Hard\u2011coded <code>http:\/\/<\/code> URLs in HTML templates and CMS themes.<\/li>\n<li>Old content in databases (e.g. WordPress posts referencing <code>http:\/\/example.com<\/code> images).<\/li>\n<li>External scripts (analytics, widgets) that still use HTTP URLs.<\/li>\n<\/ul>\n<p>Typical fixes:<\/p>\n<ul>\n<li>Change hard\u2011coded links to use <strong>HTTPS<\/strong> or protocol\u2011relative URLs (e.g. <code>\/\/example.com\/script.js<\/code>).<\/li>\n<li>Run a search\u2011and\u2011replace in the database to update <code>http:\/\/yourdomain<\/code> \u2192 <code>https:\/\/yourdomain<\/code> (after taking a backup).<\/li>\n<li>Swap any external libraries to HTTPS URLs or modern CDNs.<\/li>\n<\/ul>\n<p>If you\u2019re using WordPress, our posts on <a href=\"https:\/\/www.dchost.com\/blog\/en\/litespeed-cache-eklentisi-ile-wordpress-hizlandirma-paylasimli-hosting-icin-detayli-ayar-rehberi\/\">speeding up WordPress with LiteSpeed Cache<\/a> and <a href=\"https:\/\/www.dchost.com\/blog\/en\/wordpress-guvenlik-sertlestirme-kontrol-listesi-dosya-izinleri-salt-keys-xml-rpc-ufw-fail2ban-nasil-tatli-tatli-kurulur\/\">WordPress hardening<\/a> also touch on how correct URLs and caching interact with HTTPS.<\/p>\n<h3><span id=\"Why_mixed_content_matters_for_SEO\">Why mixed content matters for SEO<\/span><\/h3>\n<p>While mixed content itself is not a direct ranking factor, it can:<\/p>\n<ul>\n<li>Break key assets (JS\/CSS), harming <strong>Core Web Vitals<\/strong> and user experience.<\/li>\n<li>Trigger browser warnings that increase bounce rate.<\/li>\n<li>Make search engines hesitant about fully trusting your HTTPS setup.<\/li>\n<\/ul>\n<p>Fixing mixed content is therefore both a security and UX\/SEO task.<\/p>\n<h2><span id=\"StepByStep_HTTPS_Migration_Runbook\">Step\u2011By\u2011Step HTTPS Migration Runbook<\/span><\/h2>\n<h3><span id=\"Step_1_Prepare_in_a_staging_or_test_environment\">Step 1: Prepare in a staging or test environment<\/span><\/h3>\n<p>Whenever possible, mirror your live site to a staging instance (on the same hosting plan, VPS or server type) and test the entire HTTPS configuration there first:<\/p>\n<ul>\n<li>Install the SSL certificate and configure TLS.<\/li>\n<li>Enable HTTP\/2 (and HTTP\/3 if using a compatible stack).<\/li>\n<li>Set up your 301 redirects and test them thoroughly.<\/li>\n<li>Fix mixed content issues before touching production.<\/li>\n<\/ul>\n<p>For WordPress sites, we have a detailed walkthrough on <a href=\"https:\/\/www.dchost.com\/blog\/en\/wordpress-staging-ortami-nasil-kurulur-cpanelde-alt-alan-adi-klonlama-ve-guvenli-yayina-alma\/\">creating a staging environment on cPanel and promoting changes safely<\/a>.<\/p>\n<h3><span id=\"Step_2_Enable_HTTPS_on_production_without_redirects_yet\">Step 2: Enable HTTPS on production (without redirects yet)<\/span><\/h3>\n<p>On the live site, first:<\/p>\n<ul>\n<li>Install and test the SSL certificate.<\/li>\n<li>Confirm that <code>https:\/\/<\/code> URLs work correctly for the main host.<\/li>\n<li>Update the application\u2019s \u201csite URL\u201d setting (e.g. in WordPress, Laravel, your CMS config) to HTTPS.<\/li>\n<\/ul>\n<p>At this stage, HTTP is still accessible, but you can start testing HTTPS in parallel.<\/p>\n<h3><span id=\"Step_3_Switch_internal_links_to_HTTPS\">Step 3: Switch internal links to HTTPS<\/span><\/h3>\n<p>Update:<\/p>\n<ul>\n<li>Navigation menus, buttons and internal links.<\/li>\n<li>Image, CSS and JS paths in templates.<\/li>\n<li>Canonical tags and sitemaps.<\/li>\n<\/ul>\n<p>Use your CMS tools or database search\u2011and\u2011replace to ensure all internal links now point directly to HTTPS. This reduces redirect hops and simplifies later debugging.<\/p>\n<h3><span id=\"Step_4_Turn_on_global_301_redirects_from_HTTP_HTTPS\">Step 4: Turn on global 301 redirects from HTTP \u2192 HTTPS<\/span><\/h3>\n<p>Once HTTPS works end\u2011to\u2011end and internal links are updated, enable your HTTP \u2192 HTTPS 301 redirects at the web server level (Nginx or Apache) as shown above. Test again:<\/p>\n<ul>\n<li>Random page URLs.<\/li>\n<li>Category, product and blog URLs.<\/li>\n<li>Old URLs you know have backlinks.<\/li>\n<\/ul>\n<p>Check the status codes and ensure no chains or loops.<\/p>\n<h3><span id=\"Step_5_Add_HSTS_gradually\">Step 5: Add HSTS (gradually)<\/span><\/h3>\n<p>With redirects stable and mixed content fixed, add a conservative HSTS header:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Strict-Transport-Security: max-age=300\n<\/code><\/pre>\n<p>Monitor for issues. If everything is stable, gradually increase <code>max-age<\/code> over the following days\/weeks until you reach your desired duration. Only after several weeks of stability should you consider <code>includeSubDomains<\/code> and <code>preload<\/code>.<\/p>\n<h3><span id=\"Step_6_Notify_search_engines_and_monitor\">Step 6: Notify search engines and monitor<\/span><\/h3>\n<p>Finally:<\/p>\n<ul>\n<li>Verify the HTTPS property in Search Console and submit HTTPS sitemaps.<\/li>\n<li>Update analytics settings and annotations to record the day of migration.<\/li>\n<li>Monitor crawl errors, 404s and 5xx responses.<\/li>\n<\/ul>\n<p>In the first 2\u20134 weeks, it\u2019s normal to see some URL reshuffling in search results as HTTP entries are replaced with HTTPS ones. With correct 301s and consistent canonicals, this typically stabilizes quickly.<\/p>\n<h2><span id=\"Common_Pitfalls_and_How_to_Avoid_Them\">Common Pitfalls and How to Avoid Them<\/span><\/h2>\n<h3><span id=\"1_Forgetting_secondary_hostnames_and_subdomains\">1. Forgetting secondary hostnames and subdomains<\/span><\/h3>\n<p>It\u2019s easy to focus only on <code>www.example.com<\/code> and forget:<\/p>\n<ul>\n<li><code>example.com<\/code> (non\u2011www).<\/li>\n<li>Subdomains like <code>blog.example.com<\/code>, <code>shop.example.com<\/code>.<\/li>\n<li>CDN or asset subdomains.<\/li>\n<\/ul>\n<p>Ensure each relevant hostname:<\/p>\n<ul>\n<li>Has a valid certificate.<\/li>\n<li>Serves content correctly over HTTPS.<\/li>\n<li>Redirects HTTP \u2192 HTTPS as needed.<\/li>\n<\/ul>\n<h3><span id=\"2_Redirecting_everything_to_the_homepage\">2. Redirecting everything to the homepage<\/span><\/h3>\n<p>Sometimes, admins create a simple rule that sends all HTTP requests to <code>https:\/\/example.com\/<\/code> (home). This destroys your URL structure from a search engine\u2019s point of view and can severely hurt SEO.<\/p>\n<p>Always redirect <strong>URL\u2011by\u2011URL<\/strong> when possible: <code>http:\/\/example.com\/page-a<\/code> \u2192 <code>https:\/\/example.com\/page-a<\/code>. Only use generic redirects when URLs truly no longer exist and have no close equivalent.<\/p>\n<h3><span id=\"3_Shortlived_or_inconsistent_redirects\">3. Short\u2011lived or inconsistent redirects<\/span><\/h3>\n<p>Once you migrate to HTTPS, plan to keep HTTP \u2192 HTTPS redirects for the long term (years, not weeks). Removing redirects too early can:<\/p>\n<ul>\n<li>Break old backlinks and bookmarks.<\/li>\n<li>Cause 404 errors for URLs still in the index.<\/li>\n<\/ul>\n<p>Think of HTTPS migration as a permanent infrastructure change, not a campaign test.<\/p>\n<h3><span id=\"4_Ignoring_performance_impact\">4. Ignoring performance impact<\/span><\/h3>\n<p>Done badly, HTTPS can slow down a site; done well, it can actually be faster, thanks to HTTP\/2 multiplexing, better caching and modern TLS. On a VPS or dedicated server from dchost.com you can:<\/p>\n<ul>\n<li>Tune TLS settings (session reuse, ciphers) for faster handshakes.<\/li>\n<li>Enable Brotli or Gzip compression and efficient caching.<\/li>\n<li>Use NVMe storage for quick TTFB, as discussed in our <a href=\"https:\/\/www.dchost.com\/blog\/en\/nvme-vps-hosting-rehberi-hizin-nereden-geldigini-nasil-olculdugunu-ve-gercek-sonuclari-beraber-gorelim\/\">NVMe VPS hosting guide<\/a>.<\/li>\n<\/ul>\n<p>Monitoring Core Web Vitals before and after migration helps confirm that HTTPS hasn\u2019t introduced latency.<\/p>\n<h2><span id=\"Wrapping_Up_A_Calm_Path_to_HTTPS_with_301s_HSTS_and_SEO_Intact\">Wrapping Up: A Calm Path to HTTPS with 301s, HSTS and SEO Intact<\/span><\/h2>\n<p>Enabling SSL and moving fully to HTTPS doesn\u2019t have to be dramatic. When we handle migrations for customers at dchost.com, the pattern is always the same: prepare carefully, enforce clean 301 redirects, introduce HSTS gradually and double\u2011check the SEO details like canonicals, sitemaps and mixed content. The reward is a site that users and search engines both trust more, with encrypted traffic, modern TLS and a padlock that doesn\u2019t randomly disappear after each deployment.<\/p>\n<p>If you\u2019re planning a migration on shared hosting, a VPS, a dedicated server or your own colocated hardware, the steps in this guide will keep you on a safe track. Combine them with solid DNS and SSL planning \u2013 we cover those in <a href=\"https:\/\/www.dchost.com\/blog\/en\/yeni-alan-adi-aldiktan-sonra-ilk-30-gun-icin-dns-ssl-e%e2%80%91posta-ve-seo-kontrol-listesi\/\">our first 30\u2011day checklist after buying a domain<\/a> \u2013 and you can modernize your stack without sacrificing rankings or uptime.<\/p>\n<p>If you\u2019d like help choosing the right hosting plan or need hands\u2011on assistance with redirects, HSTS or SSL on your server, our team at dchost.com is ready to help. We work with everything from small WordPress sites on shared hosting to large e\u2011commerce platforms on clustered VPS and dedicated servers. Plan your HTTPS migration once, do it cleanly, and you won\u2019t need to think about it again \u2013 except when you look at your analytics and see that traffic and conversions are right where they should be.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Moving a site to HTTPS used to feel risky: horror stories about traffic drops, broken redirects and mysterious \u201cmixed content\u201d warnings scared a lot of teams into postponing SSL for years. Today, search engines expect secure sites by default, browsers label plain HTTP as \u201cNot secure\u201d, and users are less willing than ever to type [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2500,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-2499","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/2499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=2499"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/2499\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media\/2500"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=2499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=2499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=2499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}