Which protocols can be used to secure HTTP?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users' connections to your website, regardless of the content on the site.

Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:

Encryption: Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can "listen" to their conversations, track their activities across multiple pages, or steal their information.
Data integrity: Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
Authentication: Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.

Best practices when implementing HTTPS

Use robust security certificates

You must obtain a security certificate as a part of enabling HTTPS for your site. The certificate is issued by a certificate authority (CA), which takes steps to verify that your web address actually belongs to your organization, thus protecting your customers from man-in-the-middle attacks. When setting up your certificate, ensure a high level of security by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048 bits. When choosing your site certificate, keep in mind the following:

Get your certificate from a reliable CA that offers technical support.
Decide the kind of certificate you need:
- Single certificate for single secure origin (www.example.com).
- Multi-domain certificate for multiple well-known secure origins (for example, www.example.com, cdn.example.com, example.co.uk).
- Wildcard certificate for a secure origin with many dynamic subdomains (for example, a.example.com, b.example.com).

Use permanent server-side redirects

Redirect your users and search engines to the HTTPS page or resource with permanent server-side redirects.

Verify that your HTTPS pages can be crawled and indexed by Google

Use the URL Inspection tool to test whether Googlebot can access your pages.
Don't block your HTTPS pages by robots.txt files.
Don't include noindex tags in your HTTPS pages.

Support HSTS

We recommend that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.

To support HSTS, use a web server that supports it and enable the functionality.

Although it's more secure, HSTS adds complexity to your rollback strategy. We recommend enabling HSTS this way:

Roll out your HTTPS pages without HSTS first.
Start sending HSTS headers with a short max-age. Monitor your traffic both from users and other clients, and also dependents' performance, such as ads.
Slowly increase the HSTS max-age.
If HSTS doesn't affect your users and search engines negatively, you can add your site to the HSTS preload list, which is used by most major browsers. This adds extra security and improved performance.

Avoid these common pitfalls

Throughout the process of making your site secure with TLS, avoid the following mistakes:

Common mistakes and their solutions

Expired certificates	Make sure your certificate is always up to date.
Certificate registered to incorrect website name	Check that you have obtained a certificate for all host names that your site serves. For example, if your certificate only covers www.example.com, a visitor who loads your site using just example.com (without the www. prefix) will be blocked by a certificate name mismatch error.
Missing Server name indication (SNI) support	Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you'll need a dedicated IP if you need to support older browsers.
Crawling issues	Don't block your HTTPS site from crawling using robots.txt. Learn more
Indexing issues	Allow indexing of your pages by search engines where possible. Don't use the noindex tag.
Old protocol versions	Old protocol versions are vulnerable; make sure you have the latest and newest versions of TLS libraries and implement the newest protocol versions.
Mixed security elements	Embed only HTTPS content on HTTPS pages.
Different content on HTTP and HTTPS	Make sure the content on your HTTP site and your HTTPS is the same.
HTTP status code errors on HTTPS	Check that your website returns the correct HTTP status code. For instance 200 OK for accessible pages, or 404 or 410 for pages that do not exist.

Migrating from HTTP to HTTPS

If you migrate your site from HTTP to HTTPS, Google treats this as a site move with URL changes. This can temporarily affect some of your traffic numbers. Learn more about recommendations for all site moves.

Make sure that you add the new HTTPS property to Search Console. Search Console treats HTTP and HTTPS separately; data isn't shared between properties in Search Console.

For more tips about using HTTPS pages on your site, see the HTTPS migration FAQs.

More resources on implementing TLS

Here are some additional resources on implementing TLS on your site:

Qualys SSL/TLS best practices
SSL/TLS Mozilla wiki

If you're a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.

Report a security issue

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2022-08-19 UTC.

[{ "type": "thumb-down", "id": "missingTheInformationINeed", "label":"Missing the information I need" },{ "type": "thumb-down", "id": "tooComplicatedTooManySteps", "label":"Too complicated / too many steps" },{ "type": "thumb-down", "id": "outOfDate", "label":"Out of date" },{ "type": "thumb-down", "id": "samplesCodeIssue", "label":"Samples / code issue" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]

How do I secure my HTTP connection?

Best practices when implementing HTTPS. Use robust security certificates. Use permanent server-side redirects. Verify that your HTTPS pages can be crawled and indexed by Google. Support HSTS. Avoid these common pitfalls..

Migrating from HTTP to HTTPS..

More resources on implementing TLS..

Which current protocol is used to create secure transmissions for HTTP browsing sessions explain security features?

TLS is a cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. It is mostly familiar to users through its use in secure web browsing, and in particular the padlock icon that appears in web browsers when a secure session is established.

Which is the most common protocol used to secure web data?

SSL Protocol SSL protocol has become the world's most popular web security mechanism, all major web browsers support SSL. Secure socket layer protocol is considered as an additional layer in TCP/IP protocol suite.

What is secure protocol?

2. A security protocol is essentially a communication protocol – an agreed sequence of actions performed by two or more communicating entities in order to accomplish some mutually desirable goal – that makes use of cryptographic techniques, allowing the communicating entities to achieve a security goal.