HTTPS Migration Guide: Move to SSL Without Losing Rankings
Migrating from HTTP to HTTPS is one of the most impactful technical SEO changes you can make — Google confirmed HTTPS as a ranking signal, and browsers now actively warn users about insecure pages. Done correctly, the migration preserves your rankings and link equity; done poorly, it can trigger significant organic traffic loss that takes months to recover. This guide covers every step required for a safe, complete HTTPS migration.
Get and install your SSL certificate
Most hosting providers offer free SSL via Let's Encrypt - enable it in your hosting control panel with one click. After installation, verify your site loads correctly at https:// before making any other changes. Test on multiple pages and check Chrome's padlock icon shows secure.
Set up 301 redirects from HTTP to HTTPS
Configure your server to 301 redirect all HTTP requests to HTTPS. In Apache: add RewriteEngine On, RewriteCond %{'HTTPS'} off, RewriteRule ^(.*)$ https://%{'HTTP_HOST'}%{'REQUEST_URI'} [L,R=301] to .htaccess. In Nginx: add a server block for port 80 that redirects to https://. In Next.js or Vercel: HTTPS is enforced automatically.
Update all internal links and resources
Change all hardcoded http:// internal links in your content, templates, and database to https://. Mixed content occurs when an HTTPS page loads HTTP resources - browsers block this and show security warnings. Find mixed content using Chrome DevTools Console or the Why No Padlock tool.
Update canonical tags and sitemap
Update all canonical tags to use https:// URLs. Update your sitemap.xml to contain only https:// URLs. Submit the updated sitemap in Google Search Console. Your sitemap must not contain any http:// URLs after migration.
Update Google Search Console and Analytics
Add your HTTPS property to Google Search Console - it is treated as a separate property from HTTP. Set the preferred domain. In Google Analytics: update the default URL to https://. Update any external tools referencing your old HTTP domain.
Monitor for issues post-migration
Watch Google Search Console Coverage report for new crawl errors in the week after migration. Monitor organic traffic in Google Analytics for any drops. A small temporary fluctuation is normal during the migration period but should recover within 2-4 weeks as Google reindexes all your HTTPS URLs.
Handle HSTS to lock in HTTPS permanently
After confirming your HTTPS setup is stable, add the HTTP Strict Transport Security (HSTS) header to your server response: Strict-Transport-Security: max-age=31536000; includeSubDomains. This instructs browsers to never attempt an HTTP connection to your domain again, eliminating redirect latency on repeat visits. Start with a short max-age value (300 seconds) for testing, then increase to 31536000 (one year) once you are confident. Optionally submit your domain to the HSTS preload list at hstspreload.org for browser-level HTTPS enforcement.
Update external backlinks and business listings
After migrating to HTTPS, proactively update HTTP links pointing to your site. Prioritize high-value backlinks: reach out to referring domains linking to your home page or top-linked pages and request they update the link URL to HTTPS. Update your Google Business Profile, social media profiles, and any third-party directories that reference your old HTTP URL. While 301 redirects pass link equity, direct HTTPS links avoid the redirect hop and are the cleanest signal for search engines.
Verify third-party scripts and tracking
Audit all third-party scripts, ad tags, and analytics integrations after migrating. Google Tag Manager, analytics pixels, heatmap tools, and advertising tags must load over HTTPS or they generate mixed content warnings. In Chrome DevTools, open the Console tab and filter for mixed content errors - each one identifies an HTTP resource that needs updating. Update every script src attribute and any hardcoded pixel URLs in your tag manager to use https://.
Check for parameter-based HTTP duplication
Some sites generate both HTTP and HTTPS versions of parameterized URLs (e.g., http://example.com/page?ref=abc vs https://example.com/page?ref=abc). Ensure your server-level redirect rules apply to all URL patterns including those with query strings and hash fragments. Test a sample of your most common URL patterns through a redirect checker to confirm every variant lands on the correct HTTPS final URL. Include the canonical tag on all parameterized pages pointing to the clean HTTPS canonical.
Related Guides
- JavaScript SEO: Make JS Sites Crawlable
- Redirect SEO: 301 vs 302 & Best Practices
- Crawl Budget SEO: Stop Wasting Crawls on Bad Pages
- Crawl Budget Optimization: Get More Crawl Value
- Pagination SEO: Handle Page 2, 3, 4 Right
- HTTPS SEO: Why It Matters and How to Migrate Correctly
- SSL Certificates and SEO: What You Need to Know