Avoiding Duplicate Content Issues when Migrating to HTTPS
If you’re not careful, you could create a headache for your SEO team.
We like to say that installing SSL is a fairly easy process. And it is. But there are some mistakes you can make that prove costly. Typically we toss out the example of bad key pinning. And that can be a problem. But one of the biggest issues sites face when they install SSL is their migration to HTTPS.
Remember, you’re not really creating an entirely new website, but if you do things incorrectly Google will mistakenly think you have, and at least in the interim, it’s going to dock you for having duplicate content. That’s because you’re going to be serving your entire site over a different protocol. HTTP and HTTPS are obviously different, one is secure with encrypted connections between clients and servers – the other isn’t.
Google sees these two URLS:
- https://example.com
- http://example.com
As two different pages with duplicate content. They are technically two different pages, too. So, how do we avoid this problem?
How do I avoid Google seeing my http and https pages as duplicate content?
You need to use 301 redirects on all of your HTTP pages to point to their HTTPS counterparts. This is an excellent time to remind you that the best practice is to enable SSL on every page of your site. All pages should be served over HTTPS. Having your visitors jump from a secure connection to a non-secure one and then back is not ideal. It puts extra pressure on your server because the handshake is an expensive process and it also opens attack vectors to exploit.
Your competitors can use your misconfiguration against you
That’s right, some servers will still serve pages via HTTPS, even without a security certificate. As we discussed, Google views that as duplicate content. So, hypothetically, if a competitor links to your HTTP site using the HTTPS protocol, it can get Google to start indexing your content as duplicate.
Then there are servers that won’t even serve pages if they’re not using HTTPS and there are no redirects. So the same tactic, linking to your HTTP site with HTTPS links, can create an error message, “Site can’t be reached,” and that’s also going to be harmful.
WWW or non-WWW?
You need to make a choice when you’re migrating – frankly you should have probably already made it, but definitely during migration – as to whether you want to serve your website with or without the WWW. That’s because to Google:
- https://example.com
- https://www.example.com
Are two different pages. WWW is actually considered a sub-domain and though most SSL certificates will cover both WWW and non-WWW variations, browsers don’t view it the same way. So pick one and redirect from the other, lest you confuse Google.
Some tips for protecting against Duplicate Content
Here are some suggestions to help you avoid duplicate content errors when you’re migrating to HTTPS
- Canonical Tags – Even with redirects, marking your intended page as canonical will help tell Google which page to display in its search results.
- Test your server – How does your server respond to requests for secure and insecure links? You may need to add more 301s to compensate.
- Audit your URLs – Use a tool (there are both free and paid ones) to review your URLs for any duplicate content errors.
- Check for 404s – This is just good hygiene, use Google Search Console to find and remedy any 404 errors your site is producing.
We hope this helps, and if you have any comments or questions, leave them in the comments section.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown