Stay organized with collections
Save and categorize content based on your preferences.
Thursday, December 17, 2015
At Google, user security has always been a top priority. Over the years, we've worked hard to
promote a more secure web and to provide a better browsing experience for users.
Gmail,
Google Search,
and YouTube have had secure connections for some time, and we also started giving a slight
ranking boost to HTTPS URLs in search
results last year. Browsing the web should be a private experience between the user and the
website, and must not be subject to
eavesdropping,
man-in-the-middle attacks,
or data modification. This is why we've been strongly promoting
HTTPS everywhere.
As a natural continuation of this, today we'd like to announce that we're adjusting our indexing
system to look for more HTTPS pages. Specifically, we'll start crawling HTTPS equivalents of HTTP
pages, even when the former are not linked to from any page. When two URLs from the same domain
appear to have the same content but are served over different protocol schemes, we'll typically
choose to index the HTTPS URL if:
It doesn't contain insecure dependencies.
It isn't blocked from crawling by robots.txt.
It doesn't redirect users to or through an insecure HTTP page.
It doesn't have a rel="canonical" link to the HTTP page.
It doesn't contain a noindexrobotsmeta tag.
It doesn't have on-host outlinks to HTTP URLs.
The sitemaps lists the HTTPS URL, or doesn't list the HTTP version of the URL
The server has a valid TLS certificate.
Although our systems prefer the HTTPS version by default, you can also make this clearer for other
search engines by redirecting your HTTP site to your HTTPS version and by implementing the
HSTS header
on your server.
We're excited about taking another step forward in making the web more secure. By showing users
HTTPS pages in our search results, we're hoping to decrease the risk for users to browse a website
over an insecure connection and making themselves vulnerable to content injection attacks. As
usual, if you have any questions or comments, please let us know in our
webmaster help forums.
Posted by
Zineb Ait Bahajji, WTA, and the Google
Security and Indexing teams
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eGoogle is adjusting its indexing system to prioritize HTTPS pages for enhanced security.\u003c/p\u003e\n"],["\u003cp\u003eGoogle will now crawl and index HTTPS versions of webpages, even if they aren't explicitly linked, if certain security criteria are met.\u003c/p\u003e\n"],["\u003cp\u003eWebsite owners are encouraged to redirect HTTP sites to HTTPS and implement HSTS for improved security and search engine optimization.\u003c/p\u003e\n"],["\u003cp\u003eThis initiative aims to reduce security risks for users by prioritizing secure connections and minimizing vulnerability to content injection attacks.\u003c/p\u003e\n"]]],["Google is enhancing web security by prioritizing HTTPS pages in its indexing system. The system will crawl and index HTTPS versions of HTTP pages, even without direct links. HTTPS pages are preferred if they meet specific criteria, including no insecure dependencies, not being blocked by robots.txt, and having a valid TLS certificate. Users can further ensure HTTPS preference through redirects and implementing the HSTS header. These measures aim to decrease the risk of insecure connections.\n"],null,["Thursday, December 17, 2015\n\n\nAt Google, user security has always been a top priority. Over the years, we've worked hard to\npromote a more secure web and to provide a better browsing experience for users.\n[Gmail](https://gmailblog.blogspot.com/2014/03/staying-at-forefront-of-email-security.html),\n[Google Search](https://googleblog.blogspot.com/2011/10/making-search-more-secure.html),\nand YouTube have had secure connections for some time, and we also started giving a slight\n[ranking boost to HTTPS URLs](/search/blog/2014/08/https-as-ranking-signal) in search\nresults last year. Browsing the web should be a private experience between the user and the\nwebsite, and must not be subject to\n[eavesdropping](https://en.wikipedia.org/wiki/Eavesdropping),\n[man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack),\nor data modification. This is why we've been strongly promoting\n[HTTPS everywhere](https://www.youtube.com/watch?v=cBhZ6S0PFCY).\n\n\nAs a natural continuation of this, today we'd like to announce that we're adjusting our indexing\nsystem to look for more HTTPS pages. Specifically, we'll start crawling HTTPS equivalents of HTTP\npages, even when the former are not linked to from any page. When two URLs from the same domain\nappear to have the same content but are served over different protocol schemes, we'll typically\nchoose to index the HTTPS URL if:\n\n- It doesn't contain insecure dependencies.\n- It isn't blocked from crawling by robots.txt.\n- It doesn't redirect users to or through an insecure HTTP page.\n- It doesn't have a `rel=\"canonical\"` link to the HTTP page.\n- It doesn't contain a `noindex` robots `meta` tag.\n- It doesn't have on-host outlinks to HTTP URLs.\n- The sitemaps lists the HTTPS URL, or doesn't list the HTTP version of the URL\n- The server has a valid TLS certificate.\n\n\nAlthough our systems prefer the HTTPS version by default, you can also make this clearer for other\nsearch engines by redirecting your HTTP site to your HTTPS version and by implementing the\n[HSTS header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)\non your server.\n\n\nWe're excited about taking another step forward in making the web more secure. By showing users\nHTTPS pages in our search results, we're hoping to decrease the risk for users to browse a website\nover an insecure connection and making themselves vulnerable to content injection attacks. As\nusual, if you have any questions or comments, please let us know in our\n[webmaster help forums](https://support.google.com/webmasters/go/community).\n\n\nPosted by\n[Zineb Ait Bahajji](https://www.linkedin.com/in/zinebaitbahajji), WTA, and the Google\nSecurity and Indexing teams"]]
