Skip to main content
Back to blog

Jagorar SEO Mataki na 7: Tsaro — Matakin Da Google Ke Tunanin A 2026

·14 min read·by LANGR SEO

Jagorar SEO Mataki na 7: Tsaro

Wannan shi ne Mataki na 7 na Jagorar SEO mai Matakai 13. Tsaro ba kawai game da kare masu amfani ba ne — yana shafar matakan bincikenka kai tsaye. Google ya amfani da HTTPS a matsayin alamar daraja tun daga 2014, kuma tsammanin sun karu.

Yawancin masu shafin yanar gizo suna ganin tsaro a matsayin abu guda biyu: "Muna da SSL, don haka muna da tsaro." A gaskiya, Google yana tantance dubban alamomin tsaro. Shafukan da ke da kyau headers na tsaro, takardun shaidar ingantattu, da babu abun ciki mai hadari suna samun matsayi mafi kyau fiye da shafukan da ke da takardar shaidar SSL ta asali kawai — duk sauran abubuwa suna daidai.

Labari mai kyau: yawancin gyare-gyaren tsaro suna da sauki a tsara. Tsara su sau daya, suna kare matsayinka har abada.

Tsarin SSL

SSL (a hukumance TLS) yana ɓoye haɗin tsakanin sabar ka da masu ziyara. Tun daga 2014, Google ya tabbatar da HTTPS a matsayin alamar matsayi. A 2026, rashin samun HTTPS ba kawai matsala ce ta matsayi ba — Chrome yana nuna shafukan HTTP a matsayin "Ba Tsaro Ba" a cikin mashigar adireshin, yana lalata amincewar masu amfani.

Sharuɗɗan don tsari mai kyau na SSL:

| Bukata | Me yasa | Yadda za a Duba | |--------|---------|-----------------| | Takardar shaidar ingantacciya | Ta ƙare = gargadin mai bincike = masu amfani sun yi tsallake | Duba ranar ƙarewa | | Cikakken zango | Zangon da ba a cika ba yana fuskantar gazawa a wasu na'urorin | Gwajin SSL Labs | | TLS 1.2+ | Tsofaffin sigogin suna da sanannun rauni | Gwajin SSL Labs | | Babu SHA-1 | An dakatar, masu bincike sun ƙi yarda da shi | Cikakkun bayanan takardar shaidar | | Rufe SAN | www da maras-www dole ne duk suna rufe | Cikakkun bayanan takardar shaidar | | Sabuntawa ta atomatik | Yana hana bala'in ƙarewa | Tsara Let's Encrypt / mai bayarwa |

Kima na SSL:

100% = Takardar shaidar ingantacciya + Cikakken zango + TLS 1.3 + Kyakkyawan alamar ɓoyewa + Sabuntawa ta atomatik
  0% = Takardar shaidar da ta ƙare ko kuma babu

Kurakurai na gama gari a SSL:

  1. Takardar shaida ta ƙare ba tare da sanarwa ba — Kafa lura (Mataki na 6) a kalla kwanaki 30 kafin ƙarewa
  2. Cikakken zango na takardar shaida — Sabar dole ne ta tura takardun shaidar tsakanin, ba kawai ganyen ba
  3. Abun ciki mai hadari — Shafin HTTPS yana ɗaukar abubuwan HTTP (hotuna, rubutun, salon)
  4. Matsalolin jujjuya — HTTP → HTTPS → HTTP jujjuyawa da ke haifar da kuskuren CDN/proxy da aka tsara ba daidai ba
  5. Bambancin non-www da www — Takardar shaidar tana rufe daya amma ba ta rufe dayan ba

Nasara cikin sauri: Gudanar da sunan mahaifinka ta hanyar SSL Labs (ssllabs.com/ssltest). Duk wani abu da ke kasa da "A" yana da matsaloli da za a iya aiwatar da su. Yawancin masu bayar da hidima suna gyara waɗannan cikin danna guda.

Headers na Tsaro

Headers na tsaro sune headers na amsa HTTP da ke umartar masu bincike yadda za su yi yayin loda shafin ku. Suna hana dukkan rukuni na hare-hare — kuma masu binciken Google suna duba su.

Headers na tsaro masu mahimmanci:

Tsarin Tsaron Abun ciki (CSP)

CSP shine mafi karfi a cikin headers na tsaro. Yana gaya wa masu bincike takamaiman abubuwan (rubutun, salon, hotuna, font) da aka yarda su loda akan shafukan ku.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Abubuwan da CSP ke hana:

  • Hare-haren Cross-site scripting (XSS)
  • Hare-haren shigar da bayanai
  • Clickjacking (ta hanyar frame-ancestors)
  • Gudanar da rubutun da ba a yarda da shi ba (cryptominers, ad injectors)

Dabarar aiwatar da CSP:

  1. Fara da Content-Security-Policy-Report-Only (yana yin rajistar abubuwan da suka saba ba tare da toshewa ba)
  2. Kula da rahotanni na tsawon makonni 1-2
  3. Tsara tushe masu inganci
  4. Canja zuwa yanayin tilasta
  5. Ƙara report-uri ko report-to don ci gaba da rajistar sabawa

X-Frame-Options

Yana hana shafin ku daga kasancewa a cikin iframes a sauran yankuna ( kariya daga clickjacking).

X-Frame-Options: DENY

Ko idan kuna buƙatar ba da izini ga framing na asali:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Yana hana masu bincike daga nazarin nau'in MIME (fahimtar fayiloli a matsayin nau'o'i daban-daban fiye da abin da aka bayyana).

X-Content-Type-Options: nosniff

Wannan layin yana hana hare-hare inda fayil na .jpg ke ɗauke da JavaScript mai ḱulle wanda masu bincike ka iya gudanarwa.

Tsarin Mai Tura

Yana karɓar yawan bayanan mai tura da aka aika lokacin da masu amfani suka danna hanyoyi daga shafinku.

Referrer-Policy: strict-origin-when-cross-origin

Wannan yana aikawa da cikakken URL don buƙatun asali kawai amma kawai asalin (yanki) don buƙatun zuwan daga waje. Yana daidaita buƙatun nazarin tare da sirrin.

Tsarin Izini

Yana kula da waɗanne fasaloli na mai bincike (kamara, mikrofon, wurin) za a iya amfani da su akan shafin ku.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Kashe fasaloli da ba a yi amfani da su ba yana hana rubutun daga ƙarin amfani da su.

Misalin aiwatar da header (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Aiwatar da header (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Aiwatar da header (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Nasara cikin sauri: Ƙara dukkan headers 5 da ke sama zuwa tsarin sabar ku. Wannan yana ɗaukar mintuna 5 kuma yana inganta matsayin tsaron ku a kowanne kayan duba.

HSTS Preload

Tsarin Tsaron Jirgin Duniya (HSTS) yana gaya wa masu bincike su yi amfani da HTTPS a kowane lokaci don yankinku — ko da kafin a yi neman farko. Ba tare da HSTS ba, ziyara ta farko zuwa shafinku na iya ci gaba da amfani da HTTP (wanda ya ke cikin haɗarin yaki) kafin a koma zuwa HTTPS.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Umarnin uku:

| Umarnin | Ma'anar | |---------|---------| | max-age=31536000 | Tuna wannan na tsawon shekara 1 (a cikin seconds) | | includeSubDomains | Aiwatar da duka subdomains ma | | preload | Nema a haɗa cikin jerin preload na mai bincike |

Jerinin HSTS preload:

Mafi ingancin kariya ta HSTS. Masu bincike suna zuwa da jerin gwanon yankuna da dole su yi amfani da HTTPS. Gabatar da yankinku zuwa hstspreload.org yana nufin:

  • Masu ziyara na farko suna samun HTTPS nan da nan (ba tare da jujjuyawar HTTP → HTTPS ba)
  • Rashin yiwuwa ga masu hare-haren don rage haɗin
  • Dorewa (mai wuya a cire bayan an gabatar)

Sharuɗɗan don HSTS preload:

  1. Takardar shaida ta HTTPS mai inganci
  2. Jujjuya duk HTTP zuwa HTTPS (ciki har da subdomains)
  3. HSTS header tare da max-age >= 31536000
  4. HSTS header na ɗauke da includeSubDomains
  5. HSTS header na ɗauke da preload
  6. Dukkan subdomains su yi goyon bayan HTTPS

Gargadi: Ka faɗi kawai lokacin da ALL subdomains dinka suna goyon bayan HTTPS. Umarnin includeSubDomains yana nufin kowanne subdomain na HTTP kawai zai zama ba a iya samun dama.

Nasara cikin sauri: Idan kana da HTTPS a duk subdomains, ƙara cikakken HSTS header da gabatar zuwa hstspreload.org. Ana ɗaukar aikin na 'yan makonnin amma kariyar tana daɗewa.

Duba Rauni

Duba rauni ta atomatik yana gano sanannun matsalolin tsaro a cikin tsarin ku kafin masu hare-haren su yi amfani da su.

Abubuwan da duba rauni ke dubawa:

  • Software mai tsufa: WordPress, plugins, ɗakunan karatu na JavaScript tare da CVEs na sanannen
  • Fayiloli da aka fallasa: .env, .git, wp-config.php, karatun bayanai
  • Fassarar bayanai: Headers na sigar sabar, yanayin dubawa, juyin jiki
  • Bukatun tsoho: Shafukan gudanar da ba tare da izini ba, kalmomin wucewa na tsoho
  • Buɗaɗɗen tasha/aye: Ayyuka marasa bukata da aka fallasa ga intanit
  • Matsalolin shigar da bayanai: Fom ba tare da kariya ta CSRF ba, shigarwa marasa auna

Kurakurai na gama gari bisa dandali:

| Dandali | Babban Rauni | Gyara | |---------|---------------|-------| | WordPress | Plugins masu tsufa | Sabuntawa ta atomatik + WAF | | Shopify | Izinin aikace-aikacen na uku | Duba jerin aikace-aikacen kowane kwata | | Next.js | Hanyoyin API masu fallasa | Middleware na izini + iyakokin auna | | Shafukan tsaye | Kuskuren CDN | Duba ƙa'idodin cache | | Kayan gini | SQL injection | Tambayoyin da aka mai da martani |

Matsayin duba:

  • Kullum: Duba bayanan tushe ta atomatik (SSL, headers, fayiloli da aka fallasa)
  • Kowane mako: Duba raunin dogaro (npm audit, mai dubawa na plugin WordPress)
  • Kowane wata: Duba zurfin tare da gwajin zuwa
  • Bayan kowanne tura: Duba wa'azin

Nasara cikin sauri: Gudanar da npm audit (Node.js) ko duba jerin plugin CMS dinka don abubuwan da suka tsufa. Gyara matsalolin gaggawa/mai tsanani nan da nan.

Cikakken Abun ciki

Cikakken abun ciki yana faruwa lokacin da shafin HTTPS ke loda abubuwan (hotuna, rubutun, salon, iframes) ta hanyar HTTP. Wannan yana karya ɓoyewar kuma yana jawo gargadin masu bincike.

Nau'ikan Cikakken Abun ciki:

| Nau'i | Tsanani | Misali | Halayen Bincike | |-------|---------|--------|------------------| | Mabuɗi | Babba | Rubutun HTTP, iframe, CSS | An toshe ta tsohuwa | | Mabuɗa | Matsakaici | Hoton HTTP, bidiyo, sauti | An loda tare da gargadi |

Cikakken abun ciki mai aiki ana dakatar da shi daga waɗannan masu bincike na zamani — yana nufin rubutanka da salon ba za su loda ba. Cikakken abun ciki mai muku yarda yana loda amma yana nuna gargadi na tsaro.

Neman Cikakken Abun ciki:

  1. Buɗe Chrome DevTools → Gailar
  2. Duba gargadin "Cikakken Abun ciki"
  3. Ko kuma, duba tare da mai duba (Screaming Frog, LANGR)

Mabuɗan Cikakken Abun ciki na gama gari:

  • URLs da aka rubuta da hannu http:// a cikin abun ciki (jaridun blog, bayanan samfura)
  • Widgets na uku da ke loda abubuwan HTTP
  • Abun ciki da aka haɗa (tura tsofaffi na YouTube, widgets na kafofin watsa labarai)
  • CSS background-image tare da URLs na HTTP
  • Fonts da aka loda ta hanyar HTTP

Gyara Cikakken Abun ciki:

<!-- Mummunan -->
<img src="http://example.com/image.jpg" />

<!-- Kyakkyawan -->
<img src="https://example.com/image.jpg" />

<!-- Mafi kyau (na dogaro da tsarin, yana daidaita da tsarin shafin) -->
<img src="//example.com/image.jpg" />

Gyara bayanai (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Nasara cikin sauri: Buɗe shafin gida dinka a Chrome, danna F12, duba Gailar don gargadun cikakken abun ciki. Gyara duk wanda ya bayyana — waɗannan suna bayyane ga Google kai tsaye.

Hadarin Rubutun daga Waje

Duk rubutun waje da kake loda yana iya zama hadarin tsaro (da aiki). Rubutun daga waje na iya:

  • An yi amfani da su (hare-haren sarkar)
  • Tracking masu amfani da ku ba tare da izini ba (kwararan GDPR)
  • Jinkirta shafinka (blocks na bayarwa, jinkirin hanyar sadarwa)
  • Keta aikin (sabuntawar sigogi, fasa)
  • Shigar da abun ciki mara so (rubutun talla da ba a so ba)

Duba rubutun daga waje:

| Rubutu | Ana bukata? | Matsayin Hadari | Madadin | |--------|-------------|-----------------|---------| | Google Analytics | Yawanci eh | Kadan | Duba tare da sabar | | Widgets na tattaunawa | Watan | Matsakaici | Magani mai zaman kansa | | Buttons na raba kafofin watsa labarai | Hakan | Matsakaici | Hanyoyi masu tsari | | Gwaji A/B | Watan | Babba | Gwaji tare da sabar | | Pixels na dawo da martani | Shawarar kasuwanci | Babba | Bayanai na farko | | Font CDNs | Dace | Kadan | Fonts masu zaman kansa |

Hanyar rage hadari don rubutun daga waje mai mahimmanci:

  1. Tsaron Tushe (SRI): Tantance gaskiya yana hana rubutun da aka canza daga loda
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Tsarin CSP: Kawai yarda da rubutun daga sanannen yankuna
  2. iframes da aka tsara: Raba widgets na ɓangare na uku
  3. Duba akai-akai: Duba kowane kwata na dukkan albarkatun waje
  4. Kula: Hubad da sabbin yankuna na waje da ke bayyana a shafinku

Nasara cikin sauri: Lissafa kowane