Skip to main content
Back to blog

Bhuku reSEO Chikamu 7: Chengetedzo — Zvakakosha Zvinotarisirwa neGoogle mu2026

·11 min read·by LANGR SEO

Bhuku reSEO Chikamu 7: Chengetedzo

Ichi ndiChikamu 7 che Bhuku reSEO reNhanho 13. Chengetedzo haisi yekudzivirira chete vashandisi — inobata pakukwira kwekutsvaga kwako. Google yakashandisa HTTPS sechiratidzo chekukwira kubva 2014, uye tarisiro dzakatowedzera.

Vamwe varidzi vemasaiti vanofunga nezvechengetedzo sepakati: "Tine SSL, saka tirikudzivirirwa." Chaizvoizvo, Google inotarisisa zviratidzo zvakawanda zvechengetedzo. Masaiti ane maheader echokwadi echengetedzo, zvitupa zviri pamutemo, uye hapana zvemukati zvekuvhiringidza anosvika pamwero kupfuura masaiti ane chitupa cheSSL chete — zvimwe zvose zviri paenzaniso.

Nhau dzakanaka: kugadzirisa kwakawanda kwechengetedzo kunoitwa kamwe chete. Gadzirisa kamwe, uye zvinochengeta kukwirira kwako kwenguva refu.

Kumisikidza kweSSL

SSL (chokwadi TLS) inotakurira kubatanidza pakati peserver yako nevashanyi. Kubva 2014, Google yakasimbisa HTTPS sechiratidzo chekukwira. Mu2026, kusava neHTTPS hakusi kungorwadza kwekukwira chete — Chrome inoratidza masaiti eHTTP se "Hasi Akachengeteka" mubhawa readdress, ichiparadza kuvimba kwevashandisi.

Zvinodikanwa kumisikidza kweSSL:

| Zvinodiwa | Chikonzero | Maitiro Ekutarisa | |-----------|------------|--------------------| | Chitupa chakarurama | Chakapera = chiziviso chebhurawuza = vashanyi vanokandwa | Tarisa zuva rekupedzisira | | Cheni yakazara | Chain dzisina kukwana dzinokundikana pamidziyo imwe | SSL Labs bvunzo | | TLS 1.2+ | Shanduro dzekare dzine zvikanganiso zvinozivikanwa | SSL Labs bvunzo | | Hapana SHA-1 | Yakashandurwa, mabhurawuza anotsigira | Tsananguro yechitupa | | SAN coverage | www uye non-www zvinofanirwa kuve zvichifukidzwa | Tsananguro yechitupa | | Auto-renewal | Inodzivirira matambudziko ekupedza | Let's Encrypt / mupinze |

Kukwikwidza kweSSL:

100% = Chitupa chakavimbika + Cheni yakazara + TLS 1.3 + Cipher yakasimba + Auto-renew
  0% = Chitupa chakapera kana chisipo

Zvikanganiso zvakajairika zveSSL:

  1. Chitupa chinopera pasina chiziviso — Gadzira monitoring (Chikamu 6) kwemazuva anopfuura 30 pamberi pekupedza
  2. Cheni yechitupa isina kukwana — Server inofanirwa kutumira zvitupa zvekudzingira, kwete chete ganda
  3. Zvemukati zvinokanganiswa — Peji reHTTPS rinotakura zviwanikwa zveHTTP (mifananidzo, mascript, maCSS)
  4. Redirect loops — HTTP → HTTPS → HTTP kutenderera kunokonzerwa nekusagadzirisa CDN/proxy
  5. Mishandisirwo ye non-www ne www — Chitupa chinofukidza imwe asi chisina imwe

Dzakakurumidza: Dhonza domain yako kuburikidza neSSL Labs (ssllabs.com/ssltest). Chero chinhu chiri pasi pe “A” chinofanira kutorwiswa. Vazhinji vanopa nzvimbo vanogadzirisa izvi nekudzvanya kamwe.

MaHeader eChengetedzo

Maheader echengetedzo ndiwo maheader eHTTP anopindura anorayira mabhurawuza maitiro pakutakura saiti yako. Anodzivirira mabhizimusi akawanda ezvakaipa — uye ma crawler eGoogle anotarisa kune iwo.

Maheader akakosha echengetedzo:

Content-Security-Policy (CSP)

CSP ndiyo yakanaka kwazvo header yechengetedzo. Inoti mabhurawuza kuti zviwanikwa (mascript, maCSS, mifananidzo, mafonti) anobvumidzwa kutakurwa pamapeji ako.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

CSP inodzivirira:

  • Cross-site scripting (XSS) dzakaipa
  • Zvekupinda kwedata
  • Clickjacking (kuburikidza ne frame-ancestors)
  • Kutungamira kwe script isiri pamutemo (cryptominers, ad injectors)

CSP deployment strategy:

  1. Tanga ne Content-Security-Policy-Report-Only (inonamira kupindira pasina kukiya)
  2. Tarisa mishumo kwevhiki 1-2
  3. Whitelist ma sosi akakodzera
  4. Chinja mu enforcing mode
  5. Wedzera report-uri kana report-to ye ongoing violation logging

X-Frame-Options

Inodzivirira saiti yako kubva pakusanganiswa mu iframes pamadomain mamwe (kudzivirira clickjacking).

X-Frame-Options: DENY

Kana uchida kutendera framing yakafanana:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Inodzivirira mabhurawuza kubva pakusanganiswa kweMIME-type (kuverengera mafaira seimwe mhando kupfuura yakataurwa).

X-Content-Type-Options: nosniff

Iyi imwe-liner inodzivirira mabhizimusi uko faira .jpg rine JavaScript yakavanzika iyo bhurawuza inogona kushandisa.

Referrer-Policy

Inodzora hukuru hwekuvandudza ruzivo rwunotumirwa kana vashandisi vachikanda links kubva pawebsite yako.

Referrer-Policy: strict-origin-when-cross-origin

Iyi inotumira URL yakazara pamakumbiro akafanana asi chete chiteshi chochokwadi (domain) pamakumbiro akafanana. Inowiriranisa zvido zve analytics nezvekudzivirira.

Permissions-Policy

Inodzora kuti ndeapi mabasa emabhurawuza (kamera, maikorofoni, geolocation, nezvimwe) angashandiswa pawebsite yako.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Kudzima mabasa awa ekushandisa kunodzivirira ma script echitatu kubva pakushandisa.

Muenzaniso wekuisa header (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Kuiswa kweHeader (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Kuiswa kweHeader (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Dzakakurumidza: Wedzera ma header mana awakatara kumutemo wako weserver. Izvi zvinotora maminitsi mashanu uye pakarepo zvinovandudza chirevo chako chechengetedzo mune chero chishandiso chekuongorora.

HSTS Preload

HTTP Strict Transport Security (HSTS) inodzidza mabhurawuza kuti sempre shandisa HTTPS pa domain yako — kunyange usati waita kukumbira kwekutanga. Pasina HSTS, kushanya kwekutanga kuwebsite yako kungave kuchishandisa HTTP (kunotapukirwaku) usati waenda ku HTTPS.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Mirairo mitatu:

| Mirairo | Zvinoreva | |---------|-----------| | max-age=31536000 | Rangarira izvi kweGore 1 (mumasekondi) | | includeSubDomains | Shandisa kumadomain ese akawedzerwa | | preload | Kukumbira kusanganisirwa mumalists e preload emabhurawuza |

HSTS preload list:

Kudzivirirwa kwe HSTS kwepamusoro. Mabhurawuza anotakura nechengetedzo ye domain dzinofanirwa nguva dzose kushandisa HTTPS. Kukumbira domain yako kuhstspreload.org zvinoreva:

  • Vashanyi vekutanga vanowana HTTPS pakarepo (hapana HTTP → HTTPS redirect)
  • Zvinokwanisika kuti vatora kuderedza kubatanidza
  • Kwenguva refu (zvinonetsa kubvisa pakupihwa)

Zvinodiwa kuHSTS preload:

  1. Chitupa cheHTTPS chakarurama
  2. Redirect ese HTTP ku HTTPS (kusanganisira madomain akawedzerwa)
  3. HSTS header ine max-age >= 31536000
  4. HSTS header inosanganisira includeSubDomains
  5. HSTS header inosanganisira preload
  6. Madomain ese anofanirwa kutsigira HTTPS

Yambiro: Tumira ku preload kana ese madomain ako achitsigira HTTPS. Mirairo includeSubDomains inoreva chero subdomain yeHTTP chete ichave isingakwanisi kuwanikwa.

Dzakakurumidza: Kana iwe uine HTTPS pamadomain ese akawedzerwa, wedzera HSTS header yakazara uye tumira kuhstspreload.org. Kugadzirisa kunotora masvondo mashoma asi kuchengetedza kwenguva refu.

Kuongorora Vulnerability

Kuongororwa kwevulnerability kwekushanda kunoona zviratidzo zvechengetedzo zvinozivikanwa mu stack yako usati vatapirwe nazvo.

Chii chinotariswa pakuitwa kwekuongorora:

  • Software isina kuvandudzwa: WordPress, plugins, JavaScript libraries ine CVEs dzinozivikanwa
  • Mafaira akaratidzwa: .env, .git, wp-config.php, database dumps
  • Kudziridzwa kwe ruzivo: Server version headers, debug mode, stack traces
  • Makatikiti ekutanga: Mapeji evatungamiriri asina auth, default passwords
  • Ports/masevhisi akazaruka: Masevhisi asina kunaka akaratidzwa ku internet
  • Matzinga ekupinza: M Forms asina CSRF uchenjeri, inputs isina kuvandudzwa

Zvikanganiso zvakajairika pamapuratifomu:

| Platform | Vulnerability Yepamusoro | Fix | |----------|-------------------------|-----| | WordPress | Plugins zvisina kuvandudzwa | Auto-update + WAF | | Shopify | Kutenderwa kweapp imwechete | Tarisa runyoro rweapp kamwe pagore | | Next.js | API routes akaratidzwa | Auth middleware + rate limiting | | Static sites | Kadhi reCDN rakatemwa | Ongorora mitemo yekutengesa | | Custom | SQL injection | Parameterized queries |

Kugara kwekuongorora:

  • Mazuvano: Kuongorora kwefoni (SSL, maheader, mafaira akaratidzwa)
  • Vhiki: Kuongorora kwevulnerability yeDependency (npm audit, WordPress plugin scanner)
  • Mwedzi: Kuongorora kwekuona kwekuyera kunosimbisana
  • Pashure pakutumira: Regression check

Dzakakurumidza: Dhonza npm audit (Node.js) kana kutarisa runyoro rweCMS plugins yako kuti uone zvinhu zvisina kuvandudzwa. Gadzirisa nyaya dzakakosheswa/dzakakwirira pakarepo.

Zvemukati Zvekupindira

Zvemukati zvekupindira zvinoitika kana peji reHTTPS rinotakura zviwanikwa (mifananidzo, mascript, maCSS, iframes) pamusoro peHTTP. Izvi zvinoparara kukanganiswa kwekuvanzika uye zvinounza chiziviso chemabhurawuza.

Mhando dzezvemukati zvekupindira:

| Mhando | Hukosha | Muenzaniso | Maitiro eBhurawuza | |--------|---------|------------|---------------------| | Active | Yakakwirira | HTTP script, iframe, maCSS | Inodzivirira pa default | | Passive | Yakati rebei | HTTP image, video, audio | Inotakurirwa ine chiziviso |

Zvemukati zvekupindira zvinodziviswa nemabhurawuza emazuva ano — zvinoreva kuti mascript nemaitiro ako hazvitaurwe. Zvemukati zvekupindira zvinotakurwa asi zvinoratidza chiziviso chechengetedzo.

Kutsvaga zvemukati zvekupindira:

  1. Vhura Chrome DevTools → Console
  2. Tarisa "Mixed Content" warnings
  3. Zvikurudzire, scan nemukara (Screaming Frog, LANGR)

Masosi akajairika ezvemukati zvekupindira:

  • Hardcoded http:// URLs mukati (kuwedzera blog, tsananguro dzezvigadzirwa)
  • Madziro echitatu anotakura zviwanikwa zveHTTP
  • Zviri mubhuku (YouTube old embeds, social media widgets)
  • CSS background-image ine HTTP URLs
  • MaFonts akatwirwa pamusoro peHTTP

Gadzirisa zvemukati zvekupindira:

<!-- Zvisiri izvo -->
<img src="http://example.com/image.jpg" />

<!-- Zvakanaka -->
<img src="https://example.com/image.jpg" />

<!-- Zvakanyanya (absolute, adapts to page protocol) -->
<img src="//example.com/image.jpg" />

Fix reDatabase (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Dzakakurumidza: Vhura peji rako remhome muChrome, tsikisa F12, tarisa paConsole tab ye mixed content warnings. Gadzirisa chero inoratidzwa — izvi zvakajeka kune Google.

Njodzi dzeScript dzeChitatu

Chero script yekunze yaunotora isingasiyane ndeye njodzi dzechengetedzo (uye mhedzisiro). Ma script echitatu anogona:

  • Kubiridzirwa (supply chain attacks)
  • Kutevera vashandisi vako pasina mvumo (kupesana neGDPR)
  • Kudzikisira peji rako (render-blocking, network latency)
  • Kukanganisa mashandisiro (kugadzirisa shanduro, kutsemuka)
  • Kupinza zvisingadiwe (ad scripts dzakanganiswa)

Ongorora ma script echitatu:

| Script | Zvakakosha? | Chikamu cheNjodzi | Sarudzo | |--------|-------------|------------------|---------| | Google Analytics | Kazhinji hongu | Diki | Server-side tracking | | Chat widgets | Kanga kana | Pakati | Self-hosted solutions | | Mabatirwo emagariro | Kazhinji | Pakati | Static share links | | A/B testing | Dzimwe nguva | Yakakwirira | Server-side testing | | Retargeting pixels | Chisarudzo chebhizinesi | Yakakwirira | First-party data | | Font CDNs | Zvinokwanisika | Diki | Self-host fonts |

Kudzivirira njodzi kune ma script echitatu akakosha:

  1. Subresource Integrity (SRI): Hash verification inodzivirira ma script akachinjwa kubva kupinda
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Bvumira chete mascript kubva kumadomain anozivikanwa
  2. Sandboxed iframes: Isolati ma widget echitatu
  3. Kugara kwekuongorora: Tarisa mhando dzese dzezviwanikwa zvekunze
  4. Monitoring: Vhura pakutangisa mabhurawuza matsva ari pamapeji ako

Dzakakurumidza: Nyora mazita ese e