Skip to main content
Back to blog

Umhlahlandlela we-SEO Isinyathelo 7: Ukuvikeleka — Isisekelo esilindelwe yi-Google ngo-2026

·10 min read·by LANGR SEO

Umhlahlandlela we-SEO Isinyathelo 7: Ukuvikeleka

Lena Isinyathelo 7 se- Umhlahlandlela we-SEO wezi-13. Ukuvikeleka akukhona nje ukudlulisa abasebenzisi — kuthinta ngqo isikhundla sakho sokufuna. I-Google isebenzise i-HTTPS njengophawu lokuhlola ukusukela ngo-2014, futhi okulindelwe sekuqhubekile nokukhula.

Abaningi bezitshalo bacabanga ukuvikeleka kube yinhlangothi ezimbili: "Sine-SSL, ngakho sikuviklelekile." Empeleni, i-Google ihlola ama-signals amaningi okuvikeleka. Izindawo ezinezimfanelo zokuvikeleka ezifanele, ama-cerificates asebenza, futhi ngaphandle kokuhlanganiswa zihlala phezulu kwezokuhlola uma kuqhathaniswa nezindawo ezinemvume ye-SSL eyisisekelo — konke kukhalipha okufanayo.

Izindaba ezinhle: izinqamuleli zokuvikeleka eziningi zingenziwa kube yisethulo esisodwa. Zihlelwe kube yisikhathi esisodwa, bese zivikela isikhundla sakho unomphela.

Ukufakwa kwe-SSL

I-SSL (ngokweqiniso i-TLS) ivikela uxhumano phakathi kwesiphakeli sakho nabasebenzisi. Kusukela ngo-2014, i-Google iqinisekisile ukusetyenziswa kwe-HTTPS njengophawu lokuhlola. Ngo-2026, ukungabi ne-HTTPS akuyona nje into ethinta isikhundla — i-Chrome ibhalela izindawo ze-HTTP njenge "Akukho Ukuvikeleka" ebhathini lokungena, ibhidliza ukuvikeleka kokwethembana kwabantu.

Izidingo zokufaka i-SSL efanele:

| Izidingo | Kungani | Indlela Yokuhlola | |-------------|-----|--------------| | I-Certificate efanelekile | Ikhalwe = isixwayiso se-browser = abasebenzisi abahamba | Hlola usuku lokuphelelwa | | Uchungechunge oluphelele | Uchungechunge olungaphelele lwehluleka kwi-ziphu ezithile | Ukuhlolwa kwe-SSL Labs | | TLS 1.2+ | Izinguqulo ezindala zinezinkinga ezaziwayo | Ukuhlolwa kwe-SSL Labs | | Akukho SHA-1 | Okwaziwayo, amabhrwuzer athi "Misa" | Imininingwane ye-Certificate | | Ukuvikeleka kwe-SAN | www kanye non-www kufanele kube kcoverd | Imininingwane ye-Certificate | | Ukuqala okuzenzakalelayo | Vimbela izinkinga zokuphelelwa | Let's Encrypt / umphakeli hlela |

Ukwehluleka kwe-SSL:

100% = I-Cert yokusebenza + Uchungechunge oluphelele + TLS 1.3 + Cipher enamandla + Ukuqala okuzenzakalelayo
  0% = I-Cert ephelelwe noma missing

Amabhadi ajwayelekile e-SSL:

  1. I-Certificate iphumelelayo ngaphandle kwesixwayiso — Setha ukusebenza (Isinyathelo 6) okungenani ezinsukwini ezingu-30 ngaphambi kokuphelelwa
  2. Uchungechunge lwe-Certificate olungaphelele — I-Server kufanele ithumele ama-certificate alandelayo, hhayi kuphela imithi
  3. Okuhamba ngezinto ezihlangene — Ipheji le-HTTPS ilayisha imithombo ye-HTTP (izithombe, izikripthi, izitayela)
  4. Izikhala zokuqondisa — I-HTTP → HTTPS → HTTP izigaba ezibangelwa ukuhlolwa kwe-CDN/proxy okungafanele
  5. Ukungahambisani phakathi kwe-non-www ne-www — I-Certificate ikwazile okukodwa kodwa hhayi olunye

Ukuphumelelisa okusheshayo: Qhuba isizinda sakho nge-SSL Labs (ssllabs.com/ssltest). Noma yini engaphansi kokuthola "A" inezinkinga ezithokozisayo. Abaningi abahlali bavula lezi ngezixhumanisi eziyisithupha.

Amathafa Okuvikeleka

Amathafa okuvikeleka angama-header we-HTTP aphendula anikeza amabhrwuzer indlela yokuziphatha lapho ilayisha isiza sakho. Abavimbela izinhlobo ezileTHULULILE kuhloswe — futhi abakhangisi be-Google bahlola lezi.

Amathafa okuvikeleka adingekayo:

Umthetho Wokuqukethwe-Okwaziwayo (CSP)

I-CSP iyinhloso yokuvikeleka enamandla. Ikhombisa amabhrwuzer ukuthi iliphi imithombo (izikripthi, izitayela, izithombe, amafonti) evunyelwe ukulayisha kumakhasi akho.

Umthetho Wokuqukethwe-Okwaziwayo: umthombo-jikelele 'uzitholile'; umthombo-skripthi 'uzitholile' https://cdn.example.com; umthombo-stil 'uzitholile' 'ungaziqhamuki'; umthombo-izithombe 'uzitholile' idatha: https:; umthombo-font 'uzitholile' https://fonts.gstatic.com; umthombo-xhunywa 'uzitholile' https://api.example.com; abadlali-izithombe 'akukho';

Lokhu i-CSP ivimbela:

  • Ukuhweba kwezindawo (XSS)
  • Ukuvuleka kommoya
  • Ukuhlola i-clickjacking (nge-frame-ancestors)
  • Ukuqhutshwa kwezikhumbuzo ezingenayo imvume (ama-cryptominers, abahloli be-ad)

Uhlelo lokuphuma lwe-CSP:

  1. Qala nge-Umthetho Wokuqukethwe-Okwaziwayo-Report-Only (dhala ukuvalela ngaphandle kokuvimbela)
  2. Bheka imibiko izinsuku eziyi-1 kuya kweyi-2
  3. Hlanganisa imithombo efanele
  4. Guqula uhlelo lokuziphatha
  5. Engeza report-uri noma report-to ukuze uqhubeke uthola izinkinga

X-Frame-Options

Ivimba isayithi sakho ukuba sigcineka efreyimini kuzo zonke ezinye izindawo (ukuvikeleka kokucindezela).

X-Frame-Options: DENY

Noma uma udinga ukuvumela ukudlala kwe-origins efanayo:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ivimbela amabhrwuzer ekuhloleni i-MIME-type (ukuhumusha amafayela njengezinhlobo ezahlukene kunalokho okulibhalile).

X-Content-Type-Options: nosniff

Le ndaba yokukhumula ivimba ukuhlaselwa lapho ifayela le-.jpg liqukethe i-JavaScript efihlekile ukuze amabhrwuzer angakwazi ukuyiqhuba.

Referrer-Policy

Iphatha ukuthi imiphi imininingwane ye-referer ethunyelwa lapho abasebenzisi behlola izixhumanisi kusuka esizeni sakho.

Referrer-Policy: strict-origin-when-cross-origin

Lokhu kuthumela i-URL ephelele kumagoli afana, kodwa kuphela umqelwe (domain) wezicelo ze-cross-origin. Ibalansela izidingo ze-analytics kanye nekuvikelwa.

Permissions-Policy

Iphatha ukuthi yimiphi imisebenzi ye-bhroza (ikhamera, ividiyo, indawo, njll.) engasetshenziswa esizeni sakho.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ukukhansela izinto ongawasebenzisi kuvinjwa izikripthi ze-third-party ukuba zibe nokufinyelela.

Isibonelo sokuqashelwa sokufaka (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Ukwakhiwa kwe-header (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Ukwakhiwa kwe-header (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Ukuphumelelisa okusheshayo: Engeza wonke ama-header ama-5 phezulu kumhla we-server yakho. Lokhu kuthatha imizuzu emihlanu bese kuthuthukisa ngokuphawulekayo isimo sakho sokuvikeleka kunoma iyiphi ithuluzi lokuhlola.

HSTS Preload

I-HTTP Strict Transport Security (HSTS) ikhombisa amabhrwuzer ukuba njalo usebenzise i-HTTPS ye-domain yakho — ngisho nangaphambi kokuqala isicelo. Ngaphandle kwe-HSTS, ukuvakashelwa kokuqala esizeni sakho kungasasebenzisa i-HTTP (okuyingozi kokuphanga) ngaphambi kokuhanjiswa kwe-HTTPS.

I-header ye-HSTS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Izikhombandlela ezintathu:

| Isikhombisi | Incazelo | |-----------|---------| | max-age=31536000 | Khumbula lokhu isikhathi sokuqala (ngemizuzwana) | | includeSubDomains | Kubhekele izinsiza zonke zaphansi | | preload | Cela ukufakwa ohlwini lwe-bhroza olwenziwa ngaphambi |

Uhlu lwe-HSTS preload:

Ukuphepha kwe-HSTS okuhle kakhulu. Amabhroza asethwe nenethiwekhi ye-domain ezidingayo ukusebenzisa i-HTTPS. Ukufaka isizinda sakho ku-hstspreload.org kusho:

  • Abavakashi bokokuqala bathola i-HTTPS ngokushesha (akukhona HTTP → HTTPS ukugudluka)
  • Akukho ithuba lokwehliswa kwezixhumanisi
  • Okuphakade (kunzima ukukhipha uma sekufakiwe)

Izidingo zokuhlonza i-HSTS preload:

  1. I-certificate ye-HTTPS efanelekayo
  2. Ukudlulisela konke okuhle i-HTTP ku-HTTPS (kuhlanganisa nezinsizakusebenza ezincane)
  3. I-header ye-HSTS ene-max-age >= 31536000
  4. I-header ye-HSTS ibandakanya includeSubDomains
  5. I-header ye-HSTS ibandakanya preload
  6. Zonke izinsizakusebenza ezincane kufanele kusekele i-HTTPS

Isixwayiso: Faka kuphela ku-preload uma zonke izinsiza zakho ezincane zisebenzisa i-HTTPS. Isikhombisi se-includeSubDomains sisho ukuthi noma yisiphi isizinda esisebenzisa i-HTTP kuphela sizoba ukufinyelela okungasebenzisi.

Ukuphumelelisa okusheshayo: Uma usune-HTTPS kuzo zonke izinsiza ezincane, engeza i-header ye-HSTS ephelele futhi uthumele ku-hstspreload.org. Ukuphathwa kuthatha amasonto ambalwa kodwa ukuvikeleka kubalulekile.

Ukuhlola Izinkinga

Ukuhlola izinkinga okuzenzakalelayo kuhlonza izinkinga zokuvikeleka ezaziwayo ku-stack yakho ngaphambi kokuba abahlaseli bazisebenzise.

Lokhu ukuhlola izinkinga kuhlola:

  • Isofthiwe esindala: WordPress, ama-plugins, libraries ze-JavaScript ezine-CVEs ezaziwayo
  • Amafayela athungisiwe: .env, .git, wp-config.php, izinhlu zedatha
  • Ukuvuza kweMibiko: Amasignali emibiko esikhiphayo, i-debug mode, i-stack traces
  • Amakhodi ajwayelekile: Amakhasi abaphathi ngaphandle kwenkulumo, ama-password ajwayelekile
  • Iziphakamiso/zinsizakhiwo ezivulekile: Iziphakamiso ezingadingeki ezivulekile ku-inthanethi
  • Izingqikithi zokufaka: Amafomu ngaphandle kokuvikeleka kwe-CSRF, izinput ezingenakuvunywa

Izinkinga ezijwayelekile ngokwepulatifomu:

| Ipulatifomu | Isixazululo Esiyinhloko | Thola | |----------|-------------------|-----| | WordPress | Ama-plugins akhulile | Auto-update + WAF | | Shopify | Imvume ye-app yesithathu | Hlanganisa uhlu lwe-app njalo | | Next.js | Izingxenyekazi ze-API ezamukelwe | Auth middleware + ukukhipha umkhawulo | | Izindawo eziyi-static | Ikhodi yemiphumela ye-CDN | Bheka izinqubomgomo zokugcina | | Custom | I-SQL injection | Imiyalo ehleliwe |

Ukuphakathi nendawo:

  • Njalo: Isikhangiso esisebenzelayo (SSL, amathafa, amafayela athungisiwe)
  • Njalo: Ukuhlola ubuthakathaka bezinkinga (npm audit, umkhankaso wamapulaki eze-WordPress)
  • Njalo: Uhlelo lokuphuka olunokuhlola okuqinisekisiwe
  • Ngemuva kokuhlolwa: Ukuhlola kwe-regression

Ukuphumelelisa okusheshayo: Qhuba npm audit (Node.js) noma uhlole uhlu lwakho lwe-plugin ye-CMS yezitho ezindala. Lungisa izinkinga ezibalulekile/nobunzima ngokushesha.

Okuhlanganisiwe

Okuhlanganiswe kwenzeka lapho ipheji ye-HTTPS ilayisha imithombo (izithombe, izikripthi, izitayela, ama-iframes) nge-HTTP. Lokhu kuphula ngokwengxenye ukuvikeleka nokuqinisekisa izixwayiso zamabhrwuzer.

Izinhlobo zehlanganisi:

| Uhlobo | Ubunzima | Isibonelo | Ukwenza kokubhrwuzer | |------|----------|---------|------------------| | Okusebenzayo | Okuphakeme | Imikhakha ye-HTTP, iframe, CSS | Ivimbe ngokujwayelekile | | Okungasebenzi | Okuphakathi | Isithombe se-HTTP, ividiyo, umsindo | Landa ngokuxwayisa |

Okusebenzayo ehlanganisi kuvimbwa ngabhrwuzer zanamuhla — okusho ukuthi izikripthi nezitayela zakho azizothola. Okungasebenzi ehlanganisi include isaziso sokuvikeleka.

Ukuthola okuhlanganisiwe:

  1. Vula i-Chrome DevTools → Console
  2. Bheka "I-hlanganiswe kwazithombe"
  3. Ngaphandle kwalokho, shayela ngomshayelo (Screaming Frog, LANGR)

Imithombo ehlanganisiwe ejwayelekile:

  • Izixhumanisi ze-http:// eziqalisiwe kuziyi- (i-blog posts, izichazamazwi)
  • Ama-widget esithathu alayisha imithombo ye-HTTP
  • Okuqukethwe okuphilayo (iYouTube edlule, i-widget yezenhlalakahle)
  • I-CSS background-image enezixhumi ze-HTTP
  • Amafonti alayisha nge-HTTP

Ukulungisa okuhlanganisiwe:

<!-- Okubi -->
<img src="http://example.com/image.jpg" />

<!-- Okuhle -->
<img src="https://example.com/image.jpg" />

<!-- Okukhethwa (ukuhlolwa kwesimo, kuhambisana nehlelo lwephasiwedi) -->
<img src="//example.com/image.jpg" />

Ukulungiswa kwesizinda (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Ukuphumelelisa okusheshayo: Vula ikhasi lakho eliyinhloko ku-Chrome, cindezela u-F12, hlola ithebhu ye-Console ukuze uthole izixwayiso zokuhlanganisiwe. Lungisa noma iyiphi evela — lezi zihlala zitholwa yi-Google.

Izingozi ze-Skripthi ze-Third-Party

Noma yisiphi iskripthi esifanayo olayisha siyingozi yomlando (nokusebenza). Izikripthi ze-third-party zingaba:

  • Zishaywa (ukuzehlisa kwe-supply chain)
  • Zihlambe abasebenzisi bakho ngaphandle kwemvume (ukwephula i-GDPR)
  • Ziphazamise isayithi lakho (ukubamba, isikhathi sokuxhumana)
  • Ziphazamise ukusebenza (ukuzehlisa izinguqulo, ukuhawuka)
  • Faka okuqukethwe okungafuneki (izikripthi ze-ad eziphambukile)

Qashelisa izikripthi zakho ze-third-party:

| Iskript | Ukuhamba? | Izinga leRisiko | Enkathini | |--------|-----------|------------------|-------------| | Google Analytics | Ngokuvamile yes | Okuphansi | Ukulandela okwenziwe ngemuva | | Ama-widget we-chat | Mhlawumbe | Okuphakathi | Izixazululo ezizisebenzayo | | Izinkinobho zokwabelana | Ngokuhlanganisa | Okuphakathi | Izixhumanisi ezisizindeni | | Uhlolo lwe-A/B | Ngezinye izikhathi | Okuphakeme | Ukuhlola okwenziwe ngemuva | | Izinkanyezi zokubuyisela | Isinqumo sebhizinisi | Okuphakeme | Idatha ye-1st-party | | I-CDF yephonti | Kulula | Okuphansi | Amathupha abhaliwe |

Ukunciphisa izingozi zezikripthi ze-third-party:

  1. Ubudlelwane Bokuphepha (SRI): Ukuqinisekiswa kwehash kukwenza ukudlula kwezikhumbuzo ezimele.
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Ama-CSP restrictions: Vumela kuphela izikripthi ezivela ezindaweni ezaziwa
  2. Ama-iframes afakwe: Evinjeze iziphakamiso ze-third-party
  3. Ukuhlola njalo: Ukuhlolisa sonke isizinda sezinsizakusebenza zangaphandle
  4. Ukuqapha: Qaphela ukuhlinzekwa kwezingxenyekazi ezintsha ezivela ezisekelweni zakho

Ukuphumelelisa okusheshayo: Bhalela zonke i-