Skip to main content
Back to blog

Inyandiko ya SEO Igice cya 7: Umutekano — Urwego Google Itegereza mu 2026

·12 min read·by LANGR SEO

Inyandiko ya SEO Igice cya 7: Umutekano

Iyi ni Intambwe ya 7 mu Inyandiko ya SEO ifite intambwe 13. Umutekano ntaho wihuriye no kurinda abakoresha gusa — ugaragara mu rwego rwa moto y'ubushakashatsi bwawe. Google yifashishije HTTPS nk'ikimenyetso cy'amanota kuva mu 2014, kandi ibyo bategereje byiyongereye.

Abashinzwe imbuga nyinshi bacuguka umutekano nk'ikintu cyoroshye: "Dufite SSL, rero turarindwa." Ariko mu by'ukuri, Google isuzuma ibimenyetso by'umutekano byinshi. Imbuga zifite imirongo y'umutekano ikwiye, impamyabumenyi zemewe, kandi nta bikubiye bitandukanye, ziba hejuru y'imbuga zifite impamyabumenyi ya SSL isanzwe — mu gihe byose bimeze kimwe.

Amakuru meza: gukemura ibibazo byinshi by'umutekano ni iby'igihe kimwe. Ukareshya rimwe, kandi big保igumishwa ubuziranenge bwawe mu gihe cyose.

Kohereza SSL

SSL (mu by'ukuri ni TLS) hikura itumanaho hagati y'isarura ryawe n'abashyitsi. Kuva mu 2014, Google yemeje neza HTTPS nk'ikimenyetso cy'amanota. Mu 2026, kudafite HTTPS ntibikiri ikibazo cyo mu rwego rw'amanota gusa — Chrome igaragaza imbuga za HTTP nka "Nta mutekano" mu murongo w'ubucuruzi, bityo bigatuma abakoresha batakaza icyizere.

Ibisabwa kugirango SSL ikore neza:

| Ibisabwa | Impamvu | Uko Wabigenzura | |-------------|-----|--------------| | Impamyabumenyi yemewe | Ishaje = ikimenyetso cy'ibibazo mu buranga = abakoresha bahunga | Genura itariki yo kurangira | | Urunigi rwuzuye | Urunigi rudakwiye rungana na nimwe | Isuzuma rya SSL Labs | | TLS 1.2+ | Igerageza umunyarwanda bagaragara ibibazo by'umutekano | Isuzuma rya SSL Labs | | Nta SHA-1 | Ikuriwe inzira, ibizwi n'amaboko birabikora | Ibisobanuro by'impamyabumenyi | | Guhitamo SAN | www na non-www byose bigomba kuba bifite uruhushya | Ibisobanuro by'impamyabumenyi | | Kwiyongera byikora | Irinda ibibazo by'impatwe | Let’s Encrypt / konfigura y’umusanzu |

Gukosora SSL:

100% = Impamyabumenyi yemewe + Urunigi rwuzuye + TLS 1.3 + Cipher ikomeye + Kwiyongera byikora
  0% = Impamyabumenyi isanzwe cyangwa idahari

Ibibazo bisanzwe bya SSL:

  1. Impamyabumenyi irarangira nta itangazo — Tegura igenzura (Intambwe 6) nibura iminsi 30 mbere yo kurangira
  2. Urunigi rwa impamyabumenyi rudakwiye — Server igomba kohereza impamyabumenyi z'ibyo hagati, ntabwo gusa akazina
  3. Ibikubiye bitandukanye — Urupapuro rwa HTTPS rukoresha udusha wa HTTP (amafoto, scripts, imiterere)
  4. Ibisikwe bigera ku mpera — HTTP → HTTPS → HTTP ikurikiranyijemo ibitero bya CDN/proxy itandukanijwe
  5. Itandukaniro rya non-www n'urubuga rwa www — Impamyabumenyi ikingira kimwe ariko ntabwo ikingira ikindi

Intambwe yihuse: Shyira urubuga rwawe mu isuzuma rya SSL Labs (ssllabs.com/ssltest). Ikintu cyose cy'ikigero cy below "A" gifite ibibazo bitandukanye. Abatanga host benshi bakemura ibi n'ikanda kimwe.

Imirongo y'Umutekano

Imirongo y'umutekano ni ibipimo by'inzira z'ubutumwa bwa HTTP bigaragaza uburyo amadesk officers (browsers) agomba gukora mu gihe cyo gupakurura urubuga rwawe. Bifasha muguhagarika ibice by'ibitero — kandi abakora ibikorwa bya Google babigerageza.

Imirongo y'umutekano ikenewe:

Politiki y'umutekano w'ibikubiye (CSP)

CSP ni imirongo y'umutekano ikomeye cyane. Ibigaragaza uburyo amadesk agomba kubona ibintu (scripts, ibimenyetso, amafoto, inyuguti) bigomba kwemerwa ku mapaji yawe.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Ibyo CSP ishobora kwirinda:

  • Ibitero byo ku mbuga (XSS)
  • Ibituma ibikoresho byinjira mu buryo butemewe
  • Ibyinjijwe (binyuze mu frame-ancestors)
  • Gutanga amatsinda atemewe (cryptominers, ad injectors)

Ubukangurambaga bwa CSP:

  1. Tangirira ku Content-Security-Policy-Report-Only (itanga amakuru y'ibikorwa badakora)
  2. Komeza usome raporo mu byumweru 1-2
  3. Gushyira mu maboko ibiboneza byemewe
  4. Hindura kujya mu buryo bwo kwamamaza
  5. Ongeraho report-uri cyangwa report-to kugirango ugere ku makosa yu reporting

X-Frame-Options

Iyi mirongo irinda urubuga rwawe ko rwashimangirwamo mu ma iframe ku zindi domain (gufasha mu gukumira ibitero byo kwiba).

X-Frame-Options: DENY

Cyangwa niba ukeneye gushyira mu murongo wafatanya:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Irinda amadesk gusuzuma MIME-type (gusobanukirwa imiyoboro itari iyariyubatswe).

X-Content-Type-Options: nosniff

Iyi n'iyifungura irinda ibitero aho igikoresho cy' image.jpg gishobora kuba gikubiyemo JavaScript yihishe ishobora kwinjizwa n'uburyo bw'ubwoko bwa browser.

Referrer-Policy

Ikurikirana amakuru ya referrer ahabwa igihe abakoresha bakanda ku nkuru ziri ku rubuga rwawe.

Referrer-Policy: strict-origin-when-cross-origin

Ibi bitanga urubuga rwuzuye mu gihe cy'ibyo mu bujuriza gusa, ariko bigatuma ahari urubuga rwusanya gusa. Byuzuza ibyo mu bushakashatsi no mu bwiyunge.

Permissions-Policy

Ikurikirana ibiranga mubariki b'amadesk (kamera, microphone, geolocation, nibindi) bishobora gukoreshwa ku rubuga rwawe.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Gukura ibiranga utari ngombwa bituma ibisobanuro bya derde party bidakora.

Urugero rwo gushyira mu bikorwa imirongo (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Gushyira mu bikorwa imirongo (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Gushyira mu bikorwa imirongo (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Intambwe yihuse: Ongeraho imirongo 5 zivuzwe haruguru mu murongo w'akanama ka server yawe. Ibi bifata iminota 5 kandi big立iozamo umutekano wawe ku ngirakamaro mu cyanyuma cyose.

HSTS Preload

Umutekano w'ubufasha bukomeye (HTTP Strict Transport Security - HSTS) ugaragariza amadesk gukoresha HTTPS kuri domaine yawe buri gihe — n'ubwo itegeko rya mbere ritakiriho. Ntakiri HSTS, gusura kwa mbere ku rubuga rwawe gura HHTTP (guhura nuburemere) mbere yuko hakoreshwa redirect ka HTTPS.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Amabwiriza atatu:

| Amabwiriza | Ibisobanuro | |-----------|---------| | max-age=31536000 | Ibuka ibi gusa mu mwaka (mu masegonda) | | includeSubDomains | Gukorera ibidukikije byose tuganira | | preload | Gusaba kwinjizwa mu makuru yo mu bwoko bw'amadosiye |

Urutonde rwa HSTS preload:

Umutekano mwiza wa HSTS. Amadesk atanga urutonde rw'imbuga zifashisha HTTPS. Gusaba domaine yawe kuri hstspreload.org bisobanura:

  • Abashyitsi beza bagerwaho HTTPS byihuse (ntabwo higeze habaho HTTP → HTTPS redirect)
  • Nk'ukuri ntabwo byoroha ko abashaka kugerageza iki cyangwa icyo
  • Biba ibihe bidahinduka (bigora kubikuramo nyuma yo gusaba)

Ibisabwa ku HSTS preload:

  1. Impamyabumenyi yemewe ya HTTPS
  2. Guhindura udusha twose mu HTTP to HTTPS (harimo subdomains)
  3. HSTS header ifite max-age >= 31536000
  4. HSTS header ikubiyemo includeSubDomains
  5. HSTS header ikubiyemo preload
  6. Subdomains zose zigomba gukoresha HTTPS

Itangazo: Andi makuru ahita yandikwa niba subdomains zose zishobora kugendera kuri HTTPS. Amabwiriza ya includeSubDomains bisobanura ko subdomain yumvikana ya HTTP imwe ikwiriye kugera ku makuru.

Intambwe yihuse: Niba ufite HTTPS ku subdomains zose, ongera head ya HSTS yuzuye kandi usabe kuri hstspreload.org. Igihe cyo kubikora kigenda kivuka ariko umutekano uraboneka.

Gusuzuma Ibibazo

Gusuzuma ibibazo byikora byerekana ibibazo by'umutekano bizwi mu isakaro ryawe mbere y'uko abajyuzi babyo babikora.

Ibintu gusuzumwa ku bipimo by'umutekano:

  • Ibikoresho bipfuye: WordPress, ibikoresho by'inyongera, JavaScript y'ibibuga ifite CVEs izwi
  • Files zishinzwe: .env, .git, wp-config.php, database dumps
  • Gutakaza amakuru: Uburyo bisanga versions z'ibikoresho, modus ya debug, traces z'ibintu
  • Amanota y'ibishya: Urupapuro rwo murwego idakoresheje ubuziranenge, passwords zasanzwe
  • Inzira zifunguka/serivisi: Serivisi zidakenewe zishizwe hanze
  • Amanota y'nyitambogêre: Form zidakoresha CSRF, entrar_zibuke zidakwiye

Ibibazo bisanzwe usanga mu mbuga:

| Urubuga | Icyibazo Kiri Mu Mugaragaro | Igisubizo | |----------|-------------------|-----| | WordPress | Ibikoresho byashaje | Auto-update + WAF | | Shopify | Uburenganzira bw'ibikoresho by'abandi | Genura urutonde rw'ibikoresho buri gihe | | Next.js | Uburyo bw'API buvumbura | Auth middleware + rate limiting | | Imbuga z'ibikorwa by'urubuga | Gukemura kuko CDN | Sobanukirwa n'ibikoresho bikoreshwa | | Gukorwa byihariye | SQL injection | Ibipimo biri hagati |

Frequency yo gusuzuma:

  • Buri munsi: Gusuzuma mu buryo bwikora (SSL, headers, imipaka ihungabanye)
  • Buri cyumweru: Gukora isuzuma ry'uburenganzira bw'ibikoresho (npm audit, isuzuma ry'ibikoresho bya WordPress)
  • Buri kwezi: Gusuzuma byimazeyo hakoreshejwe ikizamini gishingiye kumugaragaro
  • Nyuma y'ibikora byose: Gusuzuma ibipimo bigaruka

Intambwe yihuse: Run npm audit (Node.js) cyangwa reba urutonde rwa plugins ya CMS yawe kugirango ubone ibikoresho bitarimo ibishya. Gukemura ibibazo by'ibanze/ibisubizo birebire ndetse na porogaramu zose nyuma.

Ibikubiye bitandukanye

Ibikubiye bitandukanye bibaho igihe urupapuro rwa HTTPS rukoresha udushya (amafoto, scripts, imiterere, iframes) mu buryo bwa HTTP. Ibi birica ubumenyi bwa encryption kandi bigatera amadirisha y'ibibazo.

Amoko y'ibikubiye bitandukanye:

| Amoko | Icyiciro | Urugero | Uburyo amadesk yitwara | |------|----------|---------|------------------| | Icyabije | Kirekire | HTTP script, iframe, CSS | Bahagarika buryo bw'ibintu | | Passive | Gato | HTTP image, video, audio | Cyezewe iyo ntabigerwaho |

Icyabije giterwa na https cyangirwa n'ibyo bita amadesk anyaruka — bivuze ko scripts zawe n'imiyoboro zidakurikira. Passive ikubiye bituruka imihora ariko igaragaza ibwiriza ry'umutekano.

Kumenya ibikubiye bitandukanye:

  1. Funga Chrome DevTools → Console
  2. Shakisha "Ibikubiye bitandukanye"
  3. Cyangwa ushobora gusuzuma n'ikigendanya (Screaming Frog, LANGR)

Ibikubiye bitandukanye bisanzwe:

  • Amashusho ashyizweho ya http:// mu bikubiye (blog posts, ibitekerezo by'ibicuruzwa)
  • Amarubuga y'ibikoresho by'abandi akoresha udushya
  • Ibikubiye byinjijwe (Uburyo bw'ubushakashatsi bwaganjwe, ibikoresho by'imbuga z'amashanyarazi)
  • CSS background-image ifite udushya twa HTTP
  • Fonts zigabanyirijwe mu HTTP

Gukemura ibikubiye bitandukanye:

<!-- Bibi -->
<img src="http://example.com/image.jpg" />

<!-- Neza -->
<img src="https://example.com/image.jpg" />

<!-- Byiza (protocol-relative, bihinduranye na protocol y'urpage) -->
<img src="//example.com/image.jpg" />

Gukemura mu mababe (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Intambwe yihuse: Funga urupapuro rwawe muri Chrome, kanda F12, reba igice cya Console cy'ibikubiye bitandukanye. Gukemura ibikubiye bitandukanye bigaragara — ibi bisa abanyamakuru ku Google.

Ibibazo by'amashusho y'abandi

Buri script y'inyuma uyashyiramo ni ikibazo cy'umutekano (na performance). Scripts z'abandi zishobora:

  • Kugaragarizwa integuza (ibitero by'ibikubaho)
  • Gukurikirana abakoresha bawe nta kwemera (gukekwa kw'iby'igenga)
  • Kunononsora urubuga rwawe (kudindiza, umuvuduko w'itumanaho)
  • Guhindura imikorere (ibinyuranyo byiyongera, ibitakaza agaciro)
  • Kwinjiza ibikubiyemo binyuranye (amashyano y'ubushakirange)

Igenzura ry'ibikubiye by'abandi:

| Script | Ikenewe? | Igipimo cy'ibibazo | Ibindi | |--------|-----------|------------|-------------| | Google Analytics | Akenshi yego | Gato | Igenzura ry'ibipimo | | Widgets z'ibiganiro | Ahari | Medium | Ibikuva by'ibyo | | Ibipimo by'uburinganire | Bike | Medium | Imiyoborere y'amazu | | A/B gusuzuma | Ahari | Kirekire | Igenzura ry'ibipimo | | Pixels zo gutoranya | Icyifuzo cy'ubucuruzi | Kirekire | Ibisubizo by'ibyo | | Font CDNs | Byoroshye | Gato | Koresha fonts z'ubugenzuzi |

Gukemura ibibazo bigaragara ku scripts z'ibikubiye by'abandi bigomba:

  1. Subresource Integrity (SRI): Hash verification irinda scripts z'ibihinduwe kudakoreshwa
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Igenzura rya CSP: Emerera gusa scripts ziva mu mbuga zemewe
  2. Amashusho ya sandube: Guhindura widgets z'amashusho y'abandi
  3. Igenzura ryihuse: Igenzura ryose ry'ibikubiye by'abandi
  4. Kugenzura: Kannanira ku mbuga z'inyuma zisangwa mu mapaji yawe

Intambwe yihuse: Andika buri