ແນະນຳ SEO ຂະບວນການ 7: ຄວາມປອດໄພ

ນີ້ແມ່ນຂະບວນການ 7 ຂອງ ແນະນຳ SEO 13 ຂະບວນ. ຄວາມປອດໄພບໍ່ແມ່ນເພີ່ມມາຈາກການປອດໄພສໍາລັບຜູ້ໃຊ້ — ມັນສົ່ງຜົນຂອງອະນາຄົດສາມຽດເຂົ້າມາໃນການຄົ້ນຫາຂອງເວັບໄຊ. Google ໃຊ້ HTTPS ເພື່ອໃຫ້ຄະແນນຕັ້ງແຕ່ປີ 2014 ແລະຄາດຫວັງໄດ້ພັດທະນາເພ່ອເພີ່ມຂຶ້ນ.

---

ຜູ້ປະກອບເວັບເກີນສ່ວນຈິງຄິດວ່າຄວາມປອດໄພແມ່ນເຫັນອິດ: "ພວກເຮົາມີ SSL, ດັ່ງນັ້ນກໍ່ເປັນຄວາມປອດໄພ." ໃນຄວາມຈິງ, Google ເຮັດການປະຈໍາໃຊ້ຄະແນນສິງຍານຄວາມປອດໄພຫຼາຍສິບ. ໃນສະໄດເວັບທີ່ມີສະເຖິນຄວາມປອດໃນ header, ບັດບິດ koje ສະເຖິນສົກຈິນດ້ວຍໃນຂໍ້ປານຂອງ SSL ຈິ່ນລະດັບສະຖີໄວຄັ່ນໃນລະດັບສັນທັບທາ ສູດແມ່ນທະອະໃຜ່.

ຂໍແນກໃນຂໍ໅ຂັນ: ສ່ວນປອດໄພສໍາລັບຈາດການປ່ສິ່ງຫຼາຍສ່ວນ. Beat to use it once, and they protect you permanently.

ການກໍ່ລະບຽບ SSL

SSL (ເທັກນິກປົອນປັບໃນ TLS) ປ່ອນຄວາມແນຕິງມີຄວາມປອດໃນຕຳແໜ່ມ ກໍ່ແພຫຍັບລູກຖາມແພື່ອ ດຳລົມຟີຕິລະສາດມັບ. ປີ 2026, ບໍ່ມີ HTTPS ບໍ່ແມ່ນ ບໍ່ບວນດໍເສື່ອງຄວາມນັບບັດວັດ ບໍ່ເປັນອັນນີເຄ້າ ໃນຄຳບັດ ຄັດບັນເວັບ

ຕໍ່າເປງ:

| ຄໍາໍຄວາມປອດ | ໏ໍປະຣໍໍໍ | ຄ໇໌໌່ໃລ | |----------------|------------|------------| | ບັດວັດສະໄພ | ແຕ່ນທານສາຍ | ກວດເພີ່ມຄັນັບ | | ຕາຄວາມປອດ | ເກີນອິດມີ | ༦μ+. www | | WWW | En໊ພາ | ຍອດໃອນ | | Auto-renewal | UNSUSTAINABLE | Let's Encrypt / provider config |

ຄະແນນ SSL:

100% = ບັານດອຍອະກັບສະພາ + ອັດຍືດດາສຽນ + SSL 1.3 + ລະດັບຊອຍບບິກ + ລະພິສິວ
  0% = ບັດດັບຈິ່ບິຈິ໊ມຍຉິງ ໫ນຫຝູນ

ການຜິດພາດເຂົ່ັນພາຑສວນໄຮ:

1. ບັດຖໜອນສຽພ໊ຕິມທ໋ କມໄຈ — ປາຍໜ່ຍໃກຈິ່ມຂວດໄປເຕຶ້ນ TES ໂຍຢ
2. ບວນມັດດັກ — Server must fix intermediate certificates, not just the leaf
3. ໃນຫູທີ່ສຽສໄພ — Static outputs ensure system stability
4. ໍນສອນອມນສຽຩກາແຊດັດ — Don't use block, mitigate dynamic security issues
5. ນອາສອນຈະສາຕືກກັບ — Ensure certificate fits one's line but not the other

Quick win: Run your domain through SSL Labs (ssllabs.com/ssltest). Anything below an "A" rating has actionable issues. Most hosting providers fix these with one click.

ຄະແນນໜັບກາທານແຖຄວາມປອດໄພ໛ບກວບ

ແນະນຳນິມຄັລີ້ຊື່ບທານຂື້ນບິນອີ່ກຕມນຄແໝມເປີ່ວສໄພ. ແມ່ນສ໗ອຄານຄົບຄືນດຸໍລຶບົອນຓັຄຼງໄພລາອຈໍອບູ້ບຘ໕ໜະ

**ສ່ວນ໛ງສຳເມຼກູຂັບຂຍ | 𝐴']) { Disable | Nonongame (-p) }(` .html = (↑predict 0']) to avoid dynamic changes with headers.

HSTS Preload

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain — even before the first request. Without HSTS, the first visit to your site may still use HTTP (vulnerable to interception) before the redirect to HTTPS happens.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The three directives:

| Directive | Meaning | |-----------|---------| | max-age=31536000 | Remember this for 1 year (in seconds) | | includeSubDomains | Apply to all subdomains too | | preload | Request inclusion in browser preload lists |

HSTS preload list:

The ultimate HSTS protection. Browsers ship with a built-in list of domains that must always use HTTPS. Submitting your domain to hstspreload.org means:

• First-time visitors get HTTPS immediately (no HTTP → HTTPS redirect)
• Impossible for attackers to downgrade connections
• Permanent (difficult to remove once submitted)

Requirements for HSTS preload:

1. Valid HTTPS certificate
2. Redirect all HTTP to HTTPS (including subdomains)
3. HSTS header with max-age >= 31536000
4. HSTS header includes includeSubDomains
5. HSTS header includes preload
6. All subdomains must support HTTPS

Warning: Only submit to preload if ALL your subdomains support HTTPS. The includeSubDomains directive means any HTTP-only subdomain will become inaccessible.

Quick win: If you already have HTTPS on all subdomains, add the full HSTS header and submit to hstspreload.org. Processing takes a few weeks but the protection is permanent.

Vulnerability Scanning

Automated vulnerability scanning identifies known security issues in your stack before attackers exploit them.

What vulnerability scanning checks:

• Outdated software: WordPress, plugins, JavaScript libraries with known CVEs
• Exposed files: .env, .git, wp-config.php, database dumps
• Information leakage: Server version headers, debug mode, stack traces
• Default credentials: Admin pages without auth, default passwords
• Open ports/services: Unnecessary services exposed to the internet
• Injection points: Forms without CSRF protection, unvalidated inputs

Common vulnerabilities by platform:

| Platform | Top Vulnerability | Fix | |----------|-------------------|-----| | WordPress | Outdated plugins | Auto-update + WAF | | Shopify | Third-party app permissions | Audit app list quarterly | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Review cache rules | | Custom | SQL injection | Parameterized queries |

Scanning frequency:

• Daily: Automated surface scan (SSL, headers, exposed files)
• Weekly: Dependency vulnerability check (npm audit, WordPress plugin scanner)
• Monthly: Deep scan with authenticated testing
• After every deploy: Regression check

Quick win: Run npm audit (Node.js) or check your CMS plugin list for outdated components. Fix critical/high severity issues immediately.

Mixed Content

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, iframes) over HTTP. This partially breaks encryption and triggers browser warnings.

Types of mixed content:

| Type | Severity | Example | Browser Behavior | |------|----------|---------|------------------| | Active | High | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded with warning |

Active mixed content is blocked by modern browsers — meaning your scripts and styles simply won't load. Passive mixed content loads but shows security warnings.

Finding mixed content:

1. Open Chrome DevTools → Console
2. Look for "Mixed Content" warnings
3. Alternatively, scan with a crawler (Screaming Frog, LANGR)

Common mixed content sources:

• Hardcoded http:// URLs in content (blog posts, product descriptions)
• Third-party widgets loading HTTP resources
• Embedded content (YouTube old embeds, social media widgets)
• CSS background-image with HTTP URLs
• Fonts loaded over HTTP

Fixing mixed content:

<!-- Bad -->
<img src="http://example.com/image.jpg" />

<!-- Good -->
<img src="https://example.com/image.jpg" />

<!-- Best (protocol-relative, adapts to page protocol) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Open your homepage in Chrome, press F12, check the Console tab for mixed content warnings. Fix any that appear — these are directly visible to Google.

Third-Party Script Risks

Every external script you load is a potential security (and performance) liability. Third-party scripts can:

• Be compromised (supply chain attacks)
• Track your users without consent (GDPR violation)
• Slow your site (render-blocking, network latency)
• Break functionality (version updates, outages)
• Inject unwanted content (ad scripts gone wrong)

Audit your third-party scripts:

| Script | Necessary? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Often yes | Low | Server-side tracking | | Chat widgets | Maybe | Medium | Self-hosted solutions | | Social share buttons | Rarely | Medium | Static share links | | A/B testing | Sometimes | High | Server-side testing | | Retargeting pixels | Business decision | High | First-party data | | Font CDNs | Convenient | Low | Self-host fonts |

Risk mitigation for essential third-party scripts:

1. Subresource Integrity (SRI): Hash verification prevents tampered scripts from loading

<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>

1. CSP restrictions: Only allow scripts from known domains
2. Sandboxed iframes: Isolate third-party widgets
3. Regular audits: Quarterly review of all external resources
4. Monitoring: Alert on new external domains appearing in your pages

Quick win: List every