Skip to main content
Back to blog

Umhlahlo we-SEO Isinyathelo 7: Ukuvikeleka — I-Base Line efaneleka ku-Google ngo-2026

·10 min read·by LANGR SEO

Umhlahlo we-SEO Isinyathelo 7: Ukuvikeleka

Lesi isinyathelo sesi-7 se-Umhlahlo we-SEO wezinyathelo eziyi-13. Ukuvikeleka akukhona kuphela ukuvikelwa kwabantu abasebenzisi — kuthinta ngqo izilinganiso zakho zokusesha. I-Google isebenzise i-HTTPS njengesignali yokuhlola ukusukela ngo-2014, futhi okulindelekile kweqopho lepha kukhuphukile kuphela.

Intellectual majority ye-site owners icabanga ukuvikeleka njenge-binary: "Sinayo i-SSL, ngakho sivikelekile." Empeleni, i-Google ibheka izinkulungwane zezimpawu zokuphepha. Ama-site anama-header okuphepha afanele, ama-certificates athenjwayo, futhi engekho kokuqukethwe okuhlangene adlula ama-site anama-SSL ayisisekelo kuphela — konke okunye ukufana.

Izindaba ezinhle: iningi lokulungiswa kokuphepha kuyizilungiselelo ezisodwa. Zilungisile kanye, futhi zivikele izilinganiso zakho unomphela.

Ukuklama kwe-SSL

I-SSL (ngempela i-TLS) iyagcina uxhumano phakathi kweseva yakho nezivakashi. Kusukela ngo-2014, i-Google iqinisekisile ngokusobala i-HTTPS njengomcwaningi wezikhala. Ngo-2026, ukuba ne-HTTPS akukhona kuphela udaba lwezikhala — i-Chrome ibonisa ama-site e-HTTP njenge "Not Secure" ebhange lesithombe, igubha ukwethenjwa komsebenzisi.

Izidingo zokwakhiwa kwe-SSL efanele:

| Izidingo | Kungani | Indlela Yokuhlola | |----------|---------|-------------------| | I-certifikat efanele | I-expired = isixwayiso se-browser = abasebenzisi abashintshi | Hlola usuku lokuphelelwa | | Uchungechunge oluphelele | Izinhlaka ezingaphelele zincama kumadivayisi athile | Ukuhlolwa kwe-SSL Labs | | TLS 1.2+ | Izinguqulo ezindala zinezinselele ezaziwayo | Ukuhlolwa kwe-SSL Labs | | Hayi SHA-1 | Kuqedwa, ama-browser awamukeli | Imininingwane ye-Certificate | | Ukuvikelwa kwe-SAN | I-www ne-non-www kumele kubekwe kokubili | Imininingwane ye-Certificate | | Uku-oda okuzenzakalayo | Ivinjwa ukuphuma kokuphazamiseka | Let's Encrypt / ukwakhiwa komhlinzeki |

Ukubala kwe-SSL:

100% = I-certifika efanele + Uchungechunge oluphelele + TLS 1.3 + Cipher ephakeme + Uku-oda okuzenzakalayo
  0% = I-certifikat expired noma missing

Amathuba ajwayelekile e-SSL:

  1. I-Certificate iphelelwa isikhathi ngaphandle kwesaziso — Setha ukuqapha (Isinyathelo sesi-6) okungenani ezinsukwini ezingu-30 ngaphambi kokuphelelwa
  2. Uchungechunge lwe-Certificate olungaphelele — Iseva kufanele ithumele ama-certificates amaphakathi, hhayi nje elivakashi
  3. Okuqukethwe okuhlangene — Ikhasi le-HTTPS likhuphela izinsiza ze-HTTP (izithombe, ama-skripthi, ama-stylesheets)
  4. Ukuhamba kwe-Redirect — I-HTTP → HTTPS → I-HTTP izigaba ezibangelwa ukulungiswa okungafanele kwe-CDN/proxy
  5. Ukulingana kwe-non-www ne-www — I-Certificate ib covering one but not the other

Quick win: Run your domain through SSL Labs (ssllabs.com/ssltest). Noma yini ngaphansi kokwenziweyo "A" ineziqu ezisebenzayo. Iningi labahlinzeki bokubambisana kulungisa lokhu nge-click eyodwa.

Ama-Header Wokuphepha

Ama-header okuphepha ayimpendulo ye-HTTP ama-header akhipha iziyalezo kubhrawuza ukuthi aphatheka kanjani uma uthola isayithi lakho. Avimbela izigaba eziphelele zokuhlaselwa — futhi ama-crawlers we-Google abheka futhi.

Ama-header okuphepha abalulekile:

Inqubomgomo Yokuphepha Kokuqukethwe (CSP)

I-CSP iyinhloko yokuphepha ngempela. Ithe esa kubhrawuza ngokunembile ukuthi yiziphi izinsiza (ama-skripthi, ama-styles, izithombe, ama-font) avumelekile ukulanda kumakhasi akho.

Inqubomgomo Yokuphepha Kokuqukethwe: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Okukhona kwe-CSP:

  • Ukuhlaselwa kwe-Cross-site scripting (XSS)
  • Ukuhlaselwa kwe-data injection
  • I-Clickjacking (ngokusebenzisa frame-ancestors)
  • Ukuqhuba ama-skripthi angenasizathu (ama-cryptominers, ama-ad injectors)

Isu lokukhishwa kwe-CSP:

  1. Qala nge-Content-Security-Policy-Report-Only (irekhoda ukuhlekwa ngaphandle kokuvimbela)
  2. Qapha imibiko ngezinsuku ezingu-1-2
  3. Bhalisela imithombo efanele
  4. Guqula kumodi yokugcina
  5. Faka report-uri noma report-to yokugcina ukuhlekwa okwenziwayo

X-Frame-Options

Ivumela isayithi lakho ukuthi lingafakwa kuma-iframes kumadoma angaphandle (ukuvikela i-clickjacking).

X-Frame-Options: DENY

Noma uma udinga ukuvumela ukuhlela okuphezulu:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ivumela ama-browser ukuthi angashintshi ama-MIME-type (ukuhlolisisa amafayela njengohlobo oluhlukene kune-lokhu okubhalwa).

X-Content-Type-Options: nosniff

Le mpilisi ivimbela ukuhlaselwa lapho ifayela le-.jpg liqukethe i-JavaScript efihliwe engase ihlale ibhrawuza.

Referrer-Policy

Ilawula ukuthi ludinga kangakanani ulwazi lwe-referrer uma abasebenzisi behlola izixhumanisi ezisuka esizeni sakho.

Referrer-Policy: strict-origin-when-cross-origin

Lokhu kuthumela i-URL ephelele kuma-request efanayo kodwa kuphela umthetho (domain) ngezi-request ezikwi-cross-origin. Kubalancing izidingo zokuhlaziya nokuvikela.

Permissions-Policy

Ilawula ukuthi yiziphi izici zomkhangiso (ikhamera, imakrofoni, indawo, njll.) ezingasetshenziswa esizeni sakho.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ukukhubaza izici ozingasetshenziswa kuvinjwa ama-skripthi angaphandle.

Isibonelo sokuphathwa kwe-header (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Ukuphathwa kwe-header (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Ukuphathwa kwe-header (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Quick win: Engeza wonke ama-header angu-5 phezulu kulungiselelo lwe-server yakho. Lokhu kuthatha imizuzu emihlanu futhi kuthuthukisa ngokushesha isimo sokuphepha kwakho kunoma yimuphi umshini wokuhlola.

I-HSTS Preload

I-HTTP Strict Transport Security (HSTS) ikhipha ama-browser ukuthi ahlale esebenzisa i-HTTPS yedomain yakho — ngisho ngaphambi kokuba kube nesicelo sokuqala. Ngaphandle kwe-HSTS, ukuvakashelwa kokuqala kwesayithi lakho kungase kube se-HTTP (okukhombisa ukuvusa) ngaphambi kokuba kube nesixhumanisi se-HTTPS.

I-HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Izikhumbuzo ezintathu:

| Umthetho | Incazelo | |----------|----------| | max-age=31536000 | Khumbula lokhu unyaka owodwa (ngasekukhuluma) | | includeSubDomains | Sebenzisa kumadoma aphansi nakho | | preload | Cela ukufakwa kumalista wokuphakela ama-browser |

Uhlu lwe-HSTS preload:

Ukuvikeleka okungenazinga. Ama-browser anikezela uhlu olwakhiwe lwamadoma yokuthi kufanele asebenzise i-HTTPS. Ukudlulisa i-domain yakho ku-hstspreload.org kusho:

  • Abavakashi bokuqala bathola i-HTTPS ngokushesha (akukho HTTP → HTTPS redirect)
  • Akuphathelene kahle ukuba abahlaseli bakhuphule uxhumano
  • Kuqhubeka (kuyinselele ukususa uma usuwusuku)

Izidingo ze-HSTS preload:

  1. I-certifikat ye-HTTPS efanele
  2. Khulise yonke i-HTTP ku-HTTPS (kuhlanganise ne-subdomains)
  3. I-HSTS header en max-age >= 31536000
  4. I-HSTS header ifaka includeSubDomains
  5. I-HSTS header ifaka preload
  6. Zonke i-subdomains kufanele kusekela i-HTTPS

Isixwayiso: Thumela kuphela ku-preload uma ZONKE izinsizakusebenza zakho zisebenzisa i-HTTPS. I-includeSubDomains ithe umthetho ukuthi noma yisiphi isubdomain se-HTTP kuphela sizoba nefihlo.

Quick win: Uma usuvele unayo i-HTTPS kuyo yonke i-subdomain, engeza i-header ye-HSTS ephelele bese uthumela ku-hstspreload.org. Ukulungiswa kuthatha amasonto ambalwa kodwa ukuvikeleka kuhlala kuhle.

Ukuhlola Ubuthakathaka

Ukuhlola ubuthakathaka okuzenzakalayo kukhomba izinkinga zokuphepha ezaziwayo eziphethwe ngaphambi kokuba abahlaseli bazisebenzisa.

Okubhekwayo kokuhlola ubuthakathaka:

  • Isofthiwe engavuselelwe: I-WordPress, ama-plugins, ama-libraries e-JavaScript anama-CVEs azalwa
  • Amafayela akhishiwe: .env, .git, wp-config.php, imdump ye-database
  • Ukuvuza kolwazi: Ama-header wersions we-server, imodi ye-debug, ama-stacks traces
  • Iziqinisekiso ezizenzekile: Amakhasi wokuphatha ngaphandle kwemvume, amaphasiwedi alethwe ngaphambili
  • Izinsiza ezivulekile: Izinsiza ezingafanele zikhonjiswa kwi-internet
  • Iziqeshana zokufaka: Amafomu angenayo i-CSRF, ama-inputs angavumelekile

Ubuthakathaka obujwayelekile ngokwe-platform:

| Platform | Ubuthakathaka obuphezulu | Ukulungiswa | |----------|--------------------------|-------------| | I-WordPress | Ama-plugins agcwele | Auto-update + WAF | | I-Shopify | Amalungelo ezicelo zesithathu | Hlola uhlu lwezicelo njalo ngekota | | I-Next.js | Ama-API akhishiwe | Auth middleware + rate limiting | | Ama-static sites | Ukulungiswa okungafanele kwe-CDN | Bheka imithetho yokukhumbula | | Okwezifakiwe | I-SQL injection | I-parameterized queries |

I-frequency yokuhlola:

  • Nsuku zonke: Ukuhlola okwenziwe ngokuzenzakalayo (SSL, ama-header, amafayela akhishiwe)
  • Ngenyanga: Ukuhlola ubuthakathaka bokuxhumana (npm audit, Iskrini se-plugin ye-WordPress)
  • NgeSonto: Ukuhlola okujule nge-test enezivumelwano
  • Ngemva kokuphaka: Ukuhlola ukubuyekezwa

Quick win: Run npm audit (Node.js) noma uhlole uhlu lwe-plugin ye-CMS yakho kwezinto ezivuselelwa. Lungisa izinkinga eziphuthumayo/nobukhulu obukhulu ngokushesha.

Okuqukethwe Okuhlangene

Okuqukethwe okuhlangene kwenzeka uma ikhasi le-HTTPS likhupha izinsiza (izithombe, ama-skripthi, ama-stylesheets, ama-iframes) ngaphezulu kwe-HTTP. Lokhu kuphula ngokwengxenye ukuvikeleka futhi kukhipha izixwayiso kumabhrawuza.

Izinhlobo zokuhlangenwe:

| Uhlobo | Ubunzima | Isibonelo | I-Behavior ye-Browser | |--------|----------|-----------|-----------------------| | Okuhlekisayo | Okuhle | I-skripthi ye-HTTP, iframe, CSS | Ivinjwa ngokuzenzakalelayo | | Okungenanhloso | Okuhle | Izithombe ze-HTTP, ividiyo, umsindo | Zikhuphe i-warn |

Izithombe zokuhlangenwe siqu zivinjelwe ngama-browser wakamuva — okusho ukuthi ama-skripthi akho nama-styles angase avinjelwe. Okungenanhloso kuhlinzeka kodwa kubonisa izixwayiso zokuvikeleka.

Ukuthola okuqukethwe:

  1. Vula i-Chrome DevTools → Console
  2. Bheka "Mixed Content" izixwayiso
  3. Ngaphandle kwalokho, ukhange nge-crawler (Screaming Frog, LANGR)

Imithombo ejwayelekile yokuhlangenwe:

  • Ama-URL aguquliwe http:// okuqukethwe (izihlanganisi zebhogi, izichasiselo zomkhiqizo)
  • Iziqu zabasebenzisi zesithathu ezilwayo ze-HTTP
  • Okuqukethwe okufakwe (i-YouTube old embeds, ama-widgets e-social media)
  • CSS background-image enama-URL e-HTTP
  • Ama-font ahlaya ngaphezulu kwe-HTTP

Ukuhlela okuqukethwe:

<!-- Kubi -->
<img src="http://example.com/image.jpg" />

<!-- Kulungile -->
<img src="https://example.com/image.jpg" />

<!-- Okungcono (protocol-relative, okuphenduka kumphakathi wesikhombisa) -->
<img src="//example.com/image.jpg" />

Ukulungiswa kwemibhalo (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Quick win: Vula ikhasi lakho eliyinhloko ku-Chrome, cindezela F12, hlola ithebhu ye-Console izixwayiso zokuhlangenwe. Lungisa noma yiziphi ezivelelayo — lokhu kubonakala kucacile ku-Google.

Izingozi Zezinhlelo Zesithathu

Njalo i-script yangaphandle oyilayishayo iyingozi yokuphepha (nokusebenza). Ama-skripthi okwenziwa kwabasizakanye angakwazi:

  • Ukugwenya (ukuhlasela kwesikhungo se-supply)
  • Ukugcina abasebenzisi bakho ngaphandle kwemvume (ukuphula i-GDPR)
  • Ukulayisha isayithi lakho (ukufiphala, ukuxhumana nempilo)
  • Ukuphula ukusebenza (ukuvuselelwa kwezinqumo, ukuwohloka)
  • Ukufaka okuqukethwe okufunwa (ama-skripthi ad sebelisa amamodeli)

Hlola ama-skripthi akho wesithathu:

| Iskripthi | Kubalulekile? | Izinga Lengozi | Ukuzama | |-----------|---------------|----------------|---------| | Google Analytics | Ngokuvamile | Okuphansi | Ukuhlola kwe-server | | Ama-widgets e-Chat | Mhlawumbe | Okuphakathi | Izixazululo ezizikhumbuzekayo | | Ama-buttons wokwabelana sociaal | Njalo | Okuphakathi | Izixhumanisi ezinzima | | Ukuhlanganiswa Kwe-A/B | Kwezinye | Okuphakeme | Ukuhlola kwe-server | | Izithombe zamaphuzu | Isinqumo sebhizinisi | Okuphakeme | Imininingwane yokuqala | | Ama-font CDNs | Kulula | Okuphansi | Ama-fonts azikhubazayo |

Ukunciphisa ingozi kumascript wesithathu kufanele:

  1. Subresource Integrity (SRI): Ukuhlola kwama-hash kuvinjwa ekufakeni ama-skripthi ahlaziyiweyo
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. Izikhawulo ze-CSP: Vumela kuphela ama-skripthi avela kumadoma aqondile
  2. Ama-iframes angaphandle: Hlanganisa ama-widgets engaphandle
  3. Ukuhlolwa okujwayelekile: Ukubuyekeza kwama-resources angaphandle ngekota
  4. Ukuqapha: Qinisekisa ukuvusa kwamanye amadoma angaphandle kwi-page yakho

Quick win: Bhala yonke i-