Skip to main content
Back to blog

SEO Vukei ni Matanitu 7: Bou — Na iTavako Bula e Raica na Google ena 2026

·12 min read·by LANGR SEO

SEO Vukei ni Matanitu 7: Bou

Oqo na Matanitu 7 mai na 13-nai-Matanitu ni SEO. E sega walega ni iTavi ni bou na kena vakadeitaka na kena bula na tamata — e vakaraitaka na kena bibi vei na nomu ivakarau ni veivosaki. E sa vakayacora na Google na HTTPS me raica na ivakarau ni veivosaki mai na 2014, ka sa vakalevutaka na nodra nanuma na kena bibi.

Most site owners think of security as a binary: "We have SSL, so we're secure." In reality, Google evaluates dozens of security signals. Sites with proper security headers, valid certificates, and no mixed content outrank sites with just a basic SSL certificate — all else being equal.

Na iyaloyalo lelei: e levu na veika e rawa ni vukei. Taba oti, e raica eso na nodra vakadeitika na nomu ivakarau ni veivosaki (vaka-titikeri) ka sa maroroi kina na nomu ivakarau ni veivosaki.

SSL Vukei

SSL (vaka-tukutuku TLS) e vukici na veitaratara e ra e nomu veika kei ira na nona bisinisi. Mai na 2014, e sa qai vakadinadinataki o Google na HTTPS me vaka na ivakarau ni veivosaki. Ena 2026, na sega ni tiko na HTTPS e sega walega ni iwalewale ni veivosaki — e tauri na Chrome na HTTP sites me "Sega ni Bula" e na barani, sa taji na nodra vakabauta na tamata.

iTavi e gadrevi ena iwalewale ni SSL:

| iTavi | Na vuna | Na Vakaraitaki | |-------|---------|----------------| | Tiko na sertifiketi | A sa tawa = ikuri na veika = ni sa lobuki na nodra vakaitavi | Raica na veibuli ni siga | | Ikarua ni kuli | Na kuli e veivakadavui ni sa ka beka ena so na veika | SSL Labs test | | TLS 1.2+ | Na veika ni matai sa iwalewale ni vakalialai | SSL Labs test | | Sega ni SHA-1 | Sa iwers | iTukutuku ni sertifiketi | | SAN kena itukituki | www kei na non-www e dodonu me iti | iTukutuku ni sertifiketi | | Veivakauqeti | E veivakaduidua | Let's Encrypt / veivakauqeti ni kadi |

SSL na veika e vakaraitaka:

100% = Tiko na cert + Ikarua ni kuli + TLS 1.3 + Ika maroroi + Veivakauqeti
  0% = Tawa se kawa ni cert

Na veika e daumaka ena SSL:

  1. Na sertifiketi e tawa vakataki walu — Taba oti, e rawa ni vukei na nodra vakabauti ni 30 na siga ni sa tawa
  2. Na ikarua ni kuli e tiko — Bula e dodonu me biu mai na ikarua
  3. Na veika e vaqaqacotaka — Na HTTPS ni banei HTTP
  4. Na vanua e vale — HTTP → HTTPS → HTTP na nodra butotaki
  5. Na vale ni non-www vs www — Na sertifiketi e tu e dua na kena sa bucina

Quick win: Raica nomu domain e na SSL Labs (ssllabs.com/ssltest). So na ivakarau e sa maumau na o sa mai veika viarua. Na levu tale e rawa ni vukei na veika.

Maumau ni Bou

Na maumau ni bou e na HTTP e ra e maroroi ki ira, e vakawati na nodra vakayagataka na Windows ka vakayacori na mata.

Na maumau e gadrevi:

Content-Security-Policy (CSP)

CSP e na sulia na veika vitiviti ni ivakarau ni veivosaki. E kaya kina na veivakaites e rawa ni vakayagataki mo sarava na ivakarau ni veivakabauti.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Na veika e sarava na CSP:

  • Na veika e vakatawa na Cross-site scripting (XSS)
  • Na veika e saqaboca
  • Clickjacking (vaka frame-ancestors)
  • Na kena vakaraitaki na veikali (cryptominers, ad injectors)

CSP nei ira seirave:

  1. Taba oti e raica o Content-Security-Policy-Report-Only (e vakaraitaka na veika e sa lalai)
  2. Raica na veisiga ni veika
  3. Vakaraitaka na iwalewale ni ivakarau
  4. Bula e na iwalewale ni vitarale
  5. Qaqara e report-uri se report-to

X-Frame-Options

E sega ni maroroi na veika e a sega ni vaka tu na iframe ni e na veika e yaco. 

X-Frame-Options: DENY

Se kevaka e gadrevi mo yaco e tikini:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

E sega ni maroroi na inako ni MIME-type

X-Content-Type-Options: nosniff

Oqo e sega ni maroroi na veika e rawa ni veiveiqaravi ni e na brauzani.

Referrer-Policy

E vadra na itukutuku ni referrer e vakaraitaka na veivaka e na browsers.

Referrer-Policy: strict-origin-when-cross-origin

Oqo e vakaraitaka na veika vinaka vei ira e na looks ni kena yaco vakadua se mai tu mai na kacu ni ivakarau.

Permissions-Policy

E vadra na ivakarau ni firmware e gadrevi e na veika e ni mo ni raica tiko.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Na ivakarau ni vender e sega ni yaco ki na premise ni veika e sega ni vakayagataka.

iVakaraitaki ni Header (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Servers iVakaraitaki (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header implementation (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Quick win: Taba oti e tolu na headers e na noqu server. Sa tolu na miniti ka maroroi na veika e sa mai yaco e na ivakarau ni veivosaki.

HSTS Preload

HTTP Strict Transport Security (HSTS) e layout mai na browsers me ra sega ni vakayagataki na HTTPS eve na noqu domain — e na gauna e ca na veivakauqeti.

Header HSTS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Na taucoko ni veika:

| Veika | iVakaraitaki | |-------|---------| | max-age=31536000 | Maroroi na makawa e rawa ni nikua | | includeSubDomains | Na veivakauqeti e na subdomains taucoko | | preload | Vakaraitaka na veivakauqeti e na ibukumu ni browsers |

HSTS preload:

E na bocaka mai na veivaka. E sa vuqa na domain e gadrevi me ra na sega ni vakayagataki na HTTPS. Na veika e mai levu e na hstspreload.org:

  • Na noda ivakarau ni lewa e veisiga na HTTPS (na HTTP → HTTPS)
  • Na veika e sega ni rawa ni kenai vakatagedegede
  • Oya na ivi ni vakai

iTavi e sourei me Preload:

  1. Tiko na HTTPS ni sertifiketi
  2. Redirect all HTTP to HTTPS (ka tu na subdomains)
  3. HSTS header e na vuna max-age >= 31536000
  4. HSTS header e tubu includeSubDomains
  5. HSTS header e tubu preload
  6. E tosota nasilon na HTTPS na subdomains taucoko

Vakaraitaki: Kua ni tawa mai na preload ke e sega na subdomains taucoko me tiko na HTTPS. Na includeSubDomains iVakaraitaki e sa yaco ki na veika mai na HTTP.

Quick win: Ke o sa tu na HTTPS e na subdomains taucoko, taba oti na header HSTS taucoko mo veivakatabaki ki na hstspreload.org. Na veivakatabaki e kakua ni lewa, e sa tuvana.

Sogo ni Vakalialai

E na so na sogo ni vakalialai e sa boletu ni maroroi na veika era yaco mai na vakayagataka.

Na veika e loma ni sogo:

  • Software e tawa: WordPress, plugins, JavaScript libraries
  • Veika e raica: .env, .git, wp-config.php, database dumps
  • Information leakage: Server version headers, debug mode, stack traces
  • Faili 彩神.: Admin pages e sega ni tolerant, default passwords

Veika e sa raica e loma ni platform:

| Platform | Top Vulnerability | Vakaraitaki | |----------|-------------------|-----| | WordPress | Outdated plugins | Yaco se dua + WAF | | Shopify | Third-party app permissions | Review |e vaka e daumaka | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Reviews | | Custom | SQL injection | Parameterized queries |

Balancing frequency:

  • Nai Siga: Automation scanning (SSL, headers, exposed files)
  • Ni Mata: Dependency vulnerability check (npm audit)
  • Na Va: Deep scan with authenticated testing
  • Oti na veika e vakasaoko: Regression check

Quick win: Run npm audit (Node.js) se raica nomu CMS plugin list me raica na outdated components. Vakaraitaki na veika bibi/yawrey veika e gadreva vakatamata.

Vakataki ni Iva ni HTTP

E sa yaco na HTTP ni oti na HTTPS ni maroroi, na veitaratara e veivakalevutaki.

Na yacovi ni mixed content:

| Yaco ni DOMA | iVakaraitaki | Example | Browser Behavior | |--------------|--------------|---------|------------------| | Active | High | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded with warning |

Finding mixed content:

  1. Open Chrome DevTools → Console
  2. Vagarai na "Mixed Content" warnings
  3. You’ll also scan with a crawler (Screaming Frog, LANGR)

Common mixed content sources:

  • Hardcoded http:// URLs in vaira (blog posts, product descriptions)
  • Third-party widgets
  • Embedded content (YouTube old embeds, social media widgets)
  • CSS background-image with HTTP URLs
  • Fonts loaded over HTTP

Veivakarautaki mixed content:

<!-- Veika ca -->
<img src="http://example.com/image.jpg" />

<!-- Veika vinaka -->
<img src="https://example.com/image.jpg" />

<!-- Best (na protocol-relative, e adapts to page protocol) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Open your homepage in Chrome, press F12, check the Console tab for mixed content warnings. Fix any that appear — these are directly visible to Google.

Third-Party Script Risks

O ira na external scripts e sa yaco me sa na bosi butobuto.

Audit your third-party scripts:

| Script | Necessary? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Often yes | Low | Server-side tracking | | Chat widgets | Maybe | Medium | Self-hosted solutions | | Social share buttons | Rarely | Medium | Static share links | | A/B testing | Sometimes | High | Server-side testing | | Retargeting pixels | Business decision | High | First-party data | | Font CDNs | Convenient | Low | Self-host fonts |

Risk mitigation for essential third-party scripts:

  1. Subresource Integrity (SRI): Hash verification prevents tampered scripts from loading
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Only allow scripts from known domains
  2. Sandboxed iframes: Isolate third-party widgets
  3. Regular audits: Quarterly review of all external resources
  4. Monitoring: Alert on new external domains appearing in your pages

Quick win: List every