Skip to main content
Back to blog

SEO Guide Step 7: Security — Zofunika Zomwe Google Ikuyembekeza Mu 2026

·12 min read·by LANGR SEO

SEO Guide Step 7: Security

Iyi ndi Gawo 7 la 13-Step SEO Guide. Chitetezo sichinthu chofunikira choyang'anira ogwiritsa ntchito, koma chimakhudza mwachindunji kuwonjezereka kwa kutsogolo kwanu. Google yasankha HTTPS monga chizindikiro cha kupititsa patsogolo kuyambira 2014, ndipo zomwe akuyembekeza zakhazikika kwambiri.

Owners ambiri a mawebusayiti amaganiza za chitetezo ngati chinthu chandile: "Tili ndi SSL, choncho tili ndi chitetezo." Kodi Google imayang'ana ma signal a chitetezo ambiri. Mawebusayiti omwe ali ndi ma header a chitetezo abwino, ma certificate oyenera, komanso osakhala ndi mixed content akupitilira kutchuka kuposa mawebusayiti omwe ali ndi certificate ya SSL yokha — zinthuzi zokhudza.

Nkhani zabwino: kugwirizana kwachitetezo zambiri ndizochita kamodzi. Ikani kamodzi, ndipo awapulumutse nthawi yayitali.

SSL Configuration

SSL (m'nthawi ywiri TLS) imasunga kulumikizana pakati pa seva yanu ndi ogwiritsa ntchito. Kuyambira 2014, Google yakhazikitsira HTTPS ngati chizindikiro cha kupititsa patsogolo. Mu 2026, osakhala ndi HTTPS si chinthu chofunikira chongobwera - Chrome limasindika mawebusayiti a HTTP ngati "Sichiri Chotetezedwa" pa bar ya aaddress, kuthetsa kudalira kwa ogwiritsa ntchito.

Zofunikira pa SSL yabwino:

| Zofunikira | Chifukwa | Momwe Mungayang'anire | |-------------|-----|--------------| | Certificate yabwino | Ikatha = tsitsi la browser = ogwiritsa ntchito akukumbukira | Yang'anani tsiku la kumaliza | | Mliri wathunthu | Mchitidwe osakwaniritsidwa ulakwitsa pamakompyuta ena | SSL Labs test | | TLS 1.2+ | Zoposa zisamaliro zimabwera ndi kuopsa | SSL Labs test | | Asha-1 | Chotsitsidwa, ma browser amatsutsa | Mawonekedwe a certificate | | SAN coverage | www ndi non-www zipitidwe zonse | Mawonekedwe a certificate | | Auto-renewal | Izi zimachepetsa zovuta zotsatira | Let's Encrypt / kuthekera kwa ndani |

Kuyerekezera kwa SSL:

100% = Valid cert + Full chain + TLS 1.3 + Strong cipher + Auto-renew
  0% = Ikatha kapena kukhalabe kuti certificate

Zolakwika za SSL zomwe ziri chinthu:

  1. Certificate ikatha popanda kuti amadziwa — Kwaniritsani kuyang'anira (Gawo 6) kuyambira masiku 30 asanakhale kumaliza
  2. Mliri wopita pamalire — Seva iyenera kutumiza ma certificate apakati, osati chabe chafupi
  3. Mixed content — HTTPS tsamba likulimbikitsa zinthuzi za HTTP (mifano, ndandanda, ma stylesheets)
  4. Redirect loops — HTTP → HTTPS → HTTP zikuchitika chifukwa cha CDN / proxy zomwe zasankhidwa molakwika
  5. Kusowa kwa www vs www — Certificate imcovering imodzi kachidzungu koma osakhazikika

Quick win: Yesani domain yanu pa SSL Labs (ssllabs.com/ssltest). Chilichonse chimene chiri pachikhalidwe cha "A" chikuperekera kuti zikhale ndi zovuta. Makampani ambiri a ma hosting akukonza izi ndi kungotsatira kamodzi.

Security Headers

Ma header a chitetezo ndi ma HTTP response headers omwe amafunika ma browser momwe angachitire pa kukhazikitsa mawebusayiti anu. Amaletsa maphunziro ambiri a zovuta - ndipo ma crawlers a Google amaziyambira pa iwo.

Ma header a chitetezo ofunikira:

Content-Security-Policy (CSP)

CSP ndi ma header a chitetezo omwe akugwiritsa ntchito kwambiri. Ikunena ma browser mwachindunji ndi zinthuzi (ndandanda, ma style, zinger) zomwe zimavomerezedwa kupita pa masamba anu.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Zomwe CSP zimalepheretsa:

  • Kudyetsedwa kwama scripts (XSS)
  • Kudyetsa komanso kuyang'anitsa ka data
  • Clickjacking (ndipo frame-ancestors)
  • Kukhazikitsa ma script opanda chilolezo (cryptominers, ad injectors)

CSP deployment strategy:

  1. Yambani ndi Content-Security-Policy-Report-Only (ikuyang'anira zolakwa popanda kuletsa)
  2. Yang'anani lipoti kwa maola 1-2
  3. Whitelist zizindikiro zolondola
  4. Lowetsani kiu hard
  5. Onjezani report-uri kapena report-to pa kuyang'anira zolakwa zemwe

X-Frame-Options

Izi zimalepheretsa webusayiti yanu kuti ikhalemo mu iframes pa ma domain ena (protection ya clickjacking).

X-Frame-Options: DENY

Koma ngati mukufuna kulola framing ya chidziwitso chimodzi:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Izi zimalepheretsa ma browser kuti asakhumudwe MIME-type (kuweruza mafaiferu ngati mitundu yosiyana ndi zomwe zakhala zisanachitike).

X-Content-Type-Options: nosniff

Iyi imapeletsa kudyetsera pamene faifi ya .jpg imakhala ndi JavaScript yachilendo zomwe browser ikhoza kuyimilira.

Referrer-Policy

Izi zimafuna zomwe zolembedwa ndizofunika munjira yomwe zikhala zatumizidwa pamene ogwiritsa ntchito akulitsa ma hypertext kuchokera ku webusayiti yanu.

Referrer-Policy: strict-origin-when-cross-origin

Izi zimatumiza URL yonse yokha pamapita pamapita a chopro ndi kuukha zomwe zimalepheretsa chizindikiro. Izi zimapereka kumaliza kwamakamaka ndi chinsinsi.

Permissions-Policy

Izi zimatsatira zomwe zikhala ogwiritsa ntchito pa webusayiti yanu (kamera, maiko, geolocation, ndi zina).

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Kulepheretsa zinthu zomwe simugwiritsa ntchito kumalimbikitsa ma script a partechotera.

Header implementation example (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Header implementation (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header implementation (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Quick win: Onjezani ma header 5 onse pamwambo panu. Izi zimachita nthawi 5 mins ndipo zikhala zotsatizana mwachangu mukalembela.

HSTS Preload

HTTP Strict Transport Security (HSTS) ikulengeza ma browser kuti nthawi zonse agwiritse ntchito HTTPS pa domain yanu - ngakhale musanapite. Popanda HSTS, ilembedwe koyamba ku webusayiti yanu ikhoza kukwaniritsa HTTP (kuopsa kwa kutarisa) asanachitike ku HTTPS.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Miyeso itatu:

| Miyeso | Zolemba | |-----------|---------| | max-age=31536000 | Kukumbukira mu nthawi ya chaka chimodzi (mu masekondi) | | includeSubDomains | Kupindula kwa subdomains zonse | | preload | Funso pa kuphatikiza mu mndandanda wa browser preload |

HSTS preload list:

Chitetezo chachikulu cha HSTS. Ma browser amakonda mndandanda wobiriwira wa ma domain omwe amafunika nthawi zonse kugwiritsa ntchito HTTPS. Kutsiriza domain yanu ku hstspreload.org kumatanthauza:

  • Otsogoleri oyamba amalankhula HTTPS mwachindunji (popanda HTTP → HTTPS redirect)
  • Zosatheka kwa odana kutseka kulumikizana
  • Kukhala kwa nthawi (kovuta kuchotsa imwe atatsiriza)

Zofunikira pa HSTS preload:

  1. Valid HTTPS certificate
  2. Iletsani HTTP onse ku HTTPS (kuphatikiza subdomains)
  3. HSTS header yokhala ndi max-age >= 31536000
  4. HSTS header imaphatikizapo includeSubDomains
  5. HSTS header imaphatikizapo preload
  6. Subdomains zonse ziyenera kuyendera HTTPS

Chitsogozo: Chonde tumizani mu preload ngati subdomain zanu zonse zimatengera HTTPS. includeSubDomains ikhoza kumanga subdomain yomwe imangotolera HTTP yekha.

Quick win: Ngati muli ndi HTTPS pa subdomains zonse, onjezani HSTS header yonse mutumize ku hstspreload.org. Chitukuko chimachitika mwa masabata angapo koma chitetezo ndi cha nthawi.

Vulnerability Scanning

Kutsekemera zvee kumadziwitsa zinthu zomwe zili zopanda chitetezo pazinthu zenu posakhalitsa akonzenso.

Chifukwa kugwiritsa ntchito kuyang'anira:

  • Soft ware yachitira nthawi: WordPress, ma plugin, ma JavaScript libraries omwe akukumbukiratu CVEs
  • Ma faifi akukhala: .env, .git, wp-config.php, ma database dumps
  • Kutambasula kwa makhalidwe: Mauluka omveka, mode ng’ona
  • Zovuta za chipani: Zosakhazikika za bez, ma administrator obisika, ma password osatuluka
  • Mapoto a mafoni/mapulogalamu: Services zolephera kukumbula
  • Mafunso kutimama: Ma ulalo opanda CSRF, ma inputs osapanga

Zovuta zambiri kuchokera pa pulatifomu:

| Pulatifomu | Chivundikiro | Kukonza | |----------|-------------------|-----| | WordPress | Zosakhazikika zazithunzi | Auto-update + WAF | | Shopify | Zowunikira zankhondo zankhondo | Yerekeza pa sezon | | Next.js | Masamba opanda API | Auth middleware + kuchuluka | | Static sites | Kukonzanso ma CDN | Sankhani malamulo a chachitidwe | | Custom | SQL injection | Parameterized queries |

Miyeso yowunikira:

  • Masiku: Automated surface scan (SSL, ma header, ma faifi a mawa)
  • Sabata: Kuyang'anira zovuta za dependency (npm audit, WordPress plugin scanner)
  • Monthly: Deep scan ndi maumoyo okhazikitsidwa
  • Pambuyo pa deployment: Chitetezo cha zigawo

Quick win: Tirani npm audit (Node.js) kapena onani mndandanda wa ma plugin a CMS yanu kuti mukwaniritse momwe mukonzera. Kukonza zovuta zapadera / kupanga zambiri mwachindunji.

Mixed Content

Mixed content ikuchitika pamene tsamba la HTTPS likulimbikitsa zinthu (mifano, ndandanda, ma stylesheets, iframes) kupita pa HTTP. Izi zimaphwanya kukhazikika ndikudziwa ma browser.

Mitundu ya mixed content:

| Mtundu | Kuchita | Chitsanzo | Ma Behavior a Browser | |------|----------|---------|------------------| | Active | Chochepa | HTTP script, iframe, CSS | Zilepheretsedwa ndi mpando | | Passive | Chachikulu | HTTP image, video, audio | Zimakhala kupita ndi chinsinsi |

Active mixed content ili ndi chilolezo pamabrowser atsopano - zomwe zikutanthauza kuti mawonekedwe anu ndi ma styles ndi zinthu zimenezi sizipita. Passive mixed content imapitirizabe kumeneko koma ikudza ma chitsanzo achitetezo.

Kufufuza mixed content:

  1. Kukhazikitsa Chrome DevTools → Console
  2. Fotokozani "Mixed Content" chinsinsi
  3. Njirayi, scan wothandizira (Screaming Frog, LANGR)

Zochitika zambiri za mixed content:

  • Ma URL a http:// mwachindunji mu zina (masamba a blog, ma chidziwitso)
  • Mipa ya ma widget a ma third-party yakukonzekereza HTTP
  • Zinthuzi zothandizidwa (YouTube masankho achikondi, ma widget a pa social media)
  • CSS background-image yokhala ndi ma URL a HTTP
  • ma fonts akulimbidwa pa HTTP

Kukonza mixed content:

<!-- Bwino -->
<img src="http://example.com/image.jpg" />

<!-- Bwino -->
<img src="https://example.com/image.jpg" />

<!-- Kuthupi (protocol-relative, imakwaniritsa njira ya tsamba) -->
<img src="//example.com/image.jpg" />

Kukonza database (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Punguza tsamba lanu mu Chrome, punguza F12, yang'anani pa Console tab kuti muziwonjeza chinsinsi. Pitani kuchitanso chilichonse chomwe chiyenera kukhumudwitsidwa - izi zimatumikira mwachindunji kwa Google.

Third-Party Script Risks

Chilichonse cha script ya mbali yomwe mukulimbikitsa ndi zopindulitsa zochepa za chitetezo (ndipo mtengo). Ma script a mbali angabweretse:

  • Kukhalabe (supply chain attacks)
  • Kutsatira ogwiritsa ntchito osati chilolezo (GDPR violation)
  • Kutsalira mawebusayiti anu (render-blocking, network latency)
  • Kukhala wosathandizira (kukhala poyankha, nyengo)
  • Kukhala ngati pabwino (ma script a njala)

Sankhani ma script a third-party anu:

| Script | Zofunikira? | Mlembi Wochuluka | Chinthucho | |--------|-----------|------------|-------------| | Google Analytics | Chiya | Chochepa | Kukonzera chitoliro kuti tikhale | | Kukambirana ma widgets | Koma | Chachikulu | Zinthu zodziwika zedi | | Ma button okonza | Kachidzungu | Chachikulu | Mawoma a ma share static | | A/B kuyesa | Posankha | Chachikulu | Kukonza mwachindunji | | Pixels ya retargeting | Pankhani wamba | Chachikulu | Zambiri zachinsinsi | | Font CDNs | Zothandiza | Chochita | phatikiza ma font |

Zojambula zofunikira pa ma script a third-party:

  1. Subresource Integrity (SRI): Hash verification imagwira ntchito kuti siipangitse
    2. <script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Fufuzani kuti muthandize ma script kuchokera ku ma domain akudziwa
  2. Sandboxed iframes: Kupititsa ma widget a third-party
  3. Kuyenera kuyang'anira: Kouzidwa kwachinhu kwa gave wonseku
  4. Monitoring: Kutsogolera pa domain zina zakutali zomwe zikuwoneka mu masamba anu

Quick win: Kwaniritsani tag zonse