Is HTTPS a ranking factor?

Yes. Google has used HTTPS as a ranking signal since 2014. The impact per page is small but real, and HTTP pages also lose CTR because browsers mark them "Not Secure".

How do I get a free certificate?

Let's Encrypt is the universal standard for free certificates with auto-renewal. Most CDNs (Cloudflare, Vercel, Netlify) provide HTTPS automatically with no setup.

What is mixed content?

When an HTTPS page loads sub-resources (images, scripts, stylesheets) over HTTP. Browsers block scripts and may warn or block images. Update all internal references to HTTPS.

Should I disable old TLS versions?

Yes. TLS 1.0 and 1.1 are deprecated by all major browsers and the PCI Council. Disable them on the server; require TLS 1.2 minimum, ideally TLS 1.3.

Yes for production sites. HSTS tells browsers to always use HTTPS for your domain, preventing downgrade attacks. Set it after verifying HTTPS works correctly across the site.

Mixed Content Test (HTTP over HTTPS)

The HTTPS Test checks that any URL is served over HTTPS with a valid TLS certificate, modern protocol version (TLS 1.2 minimum, ideally 1.3), and that HTTP requests redirect to HTTPS in a single hop. HTTPS is a confirmed Google ranking signal — has been since 2014 — and HTTP-only sites are explicitly marked "Not Secure" in every major browser. This test confirms your HTTPS setup is correct end-to-end.

What This Tool Checks

HTTPS is the canonical URL
HTTP redirects to HTTPS in one hop
TLS protocol version (1.2 or 1.3)
Certificate validity period and issuer
Certificate matches the requested hostname
Mixed-content warnings on the page
HSTS header presence

Why It Matters for SEO

HTTPS is the universal modern web baseline. Google has used it as a ranking signal since 2014, browsers mark HTTP pages as "Not Secure" in the address bar, and many modern web APIs (geolocation, service workers, payment) only work over HTTPS. Setting up HTTPS is free (Let's Encrypt, Cloudflare, AWS Certificate Manager) and a one-time deploy. There is no good reason to remain on HTTP in 2026.

How to Fix It

Get a free TLS certificate from Let's Encrypt (or use Cloudflare's automatic SSL). Configure HTTP to 301-redirect to HTTPS at the load balancer or CDN. Disable TLS 1.0 / 1.1 on the server. Update internal asset references to HTTPS (or use protocol-relative URLs). Add an HSTS header to enforce HTTPS in browsers.

How It Works

We open a TLS connection to the URL, validate the certificate chain against trusted roots, capture the negotiated protocol and cipher, then make HTTP and HTTPS requests to verify redirect behaviour. The page is also scanned for any HTTP resource references that would trigger mixed-content warnings.

Common Mistakes to Avoid

HTTPS configured but HTTP not redirecting (duplicate URLs)
TLS 1.0 / 1.1 still enabled (failing modern audits)
Self-signed certificate in production (browser warning)
Certificate expired (broken site)
Mixed content (HTTPS page loading HTTP images / scripts)

Quick Checklist

HTTPS canonical with valid certificate
HTTP redirects to HTTPS in one hop
TLS 1.2 + 1.3 supported, older versions disabled
No mixed-content warnings
HSTS header sent

Mixed Content Test (HTTP over HTTPS)

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect