Skip to main content
Back to blog

Mokwalo oa SEO Mohala o 7: Ts'ireletso — Mehla e Lokelang hore Google e e-lokeho ka 2026

·13 min read·by LANGR SEO

Mokwalo oa SEO Mohala o 7: Ts'ireletso

Ona ke Mohala o 7 oa Mokwalo oa 13 oa SEO. Ts'ireletso ha e se e amanang le ho sireletsa basebelisi — e ama ka kotloloho mekitlane ea hau ea ho batla. Google e sebelisitse HTTPS e le letšoao la ho beha ho tloha ka 2014, 'me litebello li nts'etswa pele.

Boholo ba balekane ba sebaka ba nahana ka ts'ireletso e le ntho e lekanang: "Re na le SSL, kahoo re sireletsehile." Ha se 'nete, Google e hlahloba metsoallo e mengata ea ts'ireletso. Matla a nang le mekhahlelo e nepahetseng ea ts'ireletso, likhomo tse netefalitsoeng, le litlhaku tse sa kopaneng li feta matloana a nang le sertifika ea SSL feela — tsohle li lekanang.

Taba e ntle: likhetho tse ngata tsa ts'ireletso ke li-configurations tse lekaneng. Li behile hanngwe, 'me li sireletsa mekitlane ea hau ka ho sa feleng.

SSL Configuration

SSL (ka tekano TLS) e encrypts the connection pakeng tsa sebatli sa hau le baeti. Ho tloha ka 2014, Google e netefalitse ka ho hlaka HTTPS e le letšoao la ho beha. Ka 2026, ho se be le HTTPS ha se bothata feela ba ho bea — Chrome e beha lits'ebetso tsa HTTP e le "E se na Ts'ireletso" ho bareng ea aterese, e senya tšepo ea basebelisi.

Lits requirements tsa SSL e nepahetseng:

| Requirement | Hobane | Mokhoa oa ho Lekola | |-------------|--------|---------------------| | Certifika e nepahetseng | E falletse = buisani ba brausa = basebeletsi ba hlekefetsoa | Lekola letsatsi la ho fela | | Ketane e felletseng | Liketane tse se nang ho felisoa li hloleha ho lisebelisoa tse ling | Teko ea SSL Labs | | TLS 1.2+ | Mehlala e mecha e na le mefokolo e tsebahalang | Teko ea SSL Labs | | Ha ho SHA-1 | E fela, brausa e e hana | Lintlha tsa Sertifika | | SAN coverage | www le non-www ka bobeli ba lokela ho couvre | Lintlha tsa Sertifika | | Auto-renewal | Thibela likotsi tsa ho fela | Let's Encrypt / provider config |

SSL scoring:

100% = Certifika e nepahetseng + Ketane e felletseng + TLS 1.3 + Cipher e matla + Auto-renew
  0% = Certifika e felletse kapa e fehlang

Melato e amanang le SSL:

  1. Certifika e fela ntle le tsebiso — Beha ts'ebetso (Mohala o 6) ho a mena ka ho etsa pele ho letsatsi la ho fela
  2. Ketane ea certifika e fosahetseng — Sebatse e lokela ho romella littere tsa selef, eseng feela leaf
  3. Mixed content — HTTP page e kenya lisebelisoa tsa HTTP (litšoantšo, metse, mekhoa)
  4. Redirect loops — HTTP → HTTPS → HTTP liphetho tse bakiloeng ke CDN/proxy e sa lokiswang
  5. Non-www vs www mismatch — Certifika e akaretsang e 'ngoe empa e se e' ngoe

Phihlelo e potlakileng: Sebelisa domaine ea hau ho SSL Labs (ssllabs.com/ssltest). Ntho efe kapa efe e ka tlase ho "A" rating e na le mathata a ka khonehang. Balekane ba sebaka ba tloaelehile ho thusa ka ho clika e le 'ngoe.

Security Headers

Headers tsa ts'ireletso ke HTTP response headers tse laolang li-brausa hore li sebelisoe ha li ntse li loading sebaka sa hau. Li thibela likahare tse amanang le ts'ireletso — 'me li-crawlers tsa Google li hlahloba tsona.

Headers tsa ts'ireletso tse bohlokoa:

Content-Security-Policy (CSP)

CSP ke header ea ts'ireletso e matla ka ho fetisisa. E joetsa li-brausa hantle hore na ke lisebelisoa life (likopano, mekhoa, litšoantšo, lifonti) tse lumelloang ho load liphetohong tsa hau.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Seo CSP se thibelang:

  • Cross-site scripting (XSS) mefokolo
  • Lisebelisoa tsa data injection
  • Clickjacking (ka frame-ancestors)
  • Ho tsoa mekhahlelo e sa amaneng (cryptominers, injectors)

Strategy ea ho hlahisa CSP:

  1. Qala ka Content-Security-Policy-Report-Only (e ngola mefokolo ntle le ho thibela)
  2. Fokotsa litlaleho ka beke 1-2
  3. Whitelist matšoao a nepahetseng
  4. Fetola ho mode e tiileng
  5. Etsa report-uri kapa report-to bakeng sa ho ngola mefokolo e tsoelang pele

X-Frame-Options

E thibela sebaka sa hau ho etsoa ka liframes marangrang a mang (protection ea clickjacking).

X-Frame-Options: DENY

Kapa haeba u hloka ho lumella framing ea same-origin:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

E thibela li-brausa ho MIME-type sniffing (ho hlalosa lifaele joaloka mefuta e amanang le tse ngotsoeng).

X-Content-Type-Options: nosniff

Ona ke one-liner e thibelang mefokolo moo faele ea .jpg e nang le JavaScript e patiloeng eo brausa e ka e etsang.

Referrer-Policy

E laola hore na ke lintlha life tsa referrer tse romelloang ha basebelisi ba tobetsa links ho tloha sebakeng sa hau.

Referrer-Policy: strict-origin-when-cross-origin

Sena se romela URL e felletseng bakeng sa litlhoko tsa same-origin empa feela motheong (domain) bakeng sa litlhoko tsa cross-origin. E sebelisa litlhoko tsa analytics le boinotšing.

Permissions-Policy

E laola hore na ke litlhoko life tsa brausa (kamere, microphone, ho tsamaea, jj.) tse ka sebelisoang sebakeng sa hau.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ho thibela litlhoko tseo u sa li sebeliseng ho thibela scripts tsa borai ho li sebelisa.

Mohlala oa ho kenya headers (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Mohlala oa ho kenya headers (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Mohlala oa ho kenya headers (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Phihlelo e potlakileng: Etsa hore u kenyelletse headers tse 5 tse kaholimo ho theknoloji ea hau. Sena se nka metsotso e 5 'me se eketsa ts'ireletso ea hau ka potlako ho mong le e mong oa liphetho.

HSTS Preload

HTTP Strict Transport Security (HSTS) e joetsa li-brausa hore li sebelise HTTPS bakeng sa domain ea hau — le pele kopo ea pele e etsoa. Ha ho na HSTS, ketsahalo ea pele ho sebaka sa hau e ka se sebetse ka HTTP (e karoloana le ho phasa) pele ho redirect ho HTTPS.

HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Lits'ebetso tse tharo:

| Directive | Moelelo | |-----------|----------| | max-age=31536000 | Hopola sena selemo se le seng (ka metsotso) | | includeSubDomains | Se sebelisoe ho li-subdomains tsohle | | preload | Kopa ho kenyelletsoaA ho lenane la li-brausa |

HSTS preload list:

Ts'ireletso e matla ea HSTS. Li-brausa li tlisa lenane le amanang le li-domain tse lokelang ho sebelisa HTTPS ka ho sa feleng. Ho romela domain ea hao ho hstspreload.org ho bolela:

  • Baeti ba pele ba fumana HTTPS hang-hang (ha ho HTTP → HTTPS redirect)
  • Ho se khonehe hore borai ba fokotse khokahano
  • Kamehla (ho thata ho e tlosoa hang ha e rometsoe)

Lits requirements tsa HSTS preload:

  1. Certifika e nepahetseng ea HTTPS
  2. Redirecta tsohle HTTP ho HTTPS (ho kenyelletsa li-subdomains)
  3. HSTS header e nang le max-age >= 31536000
  4. HSTS header e kenyelletsa includeSubDomains
  5. HSTS header e kenyelletsa preload
  6. Li-subdomains tsohle li lokela ho ts'ehetsa HTTPS

Tlhokomeliso: Etsa bonnete ba hore o romela ho preload haeba LI-subdomain tsohle tsa hau li tšehetsa HTTPS. Phoko ea includeSubDomains e bolela hore le subdomain e le 'ngoe e sa nolofatsoang e tla ba le phihlello.

Phihlelo e potlakileng: Haeba u se u na le HTTPS ho li-subdomains tsohle, eketsa header e felletseng ea HSTS 'me u romelle ho hstspreload.org. Ho sebetsana ho nka beke e 'maloa empa ts'ireletso ke ea kamehla.

Vulnerability Scanning

Vulnerability scanning e iketsang e hlahisa mathata a ts'ireletso a tsebahalang marangrang a hau pele borai ba ka a sebelisa.

Seo vulnerability scanning e se lekiloeng:

  • Software e sa ntlafatsoang: WordPress, plugins, JavaScript libraries tse nang le CVEs
  • Lifayile tse senotse: .env, .git, wp-config.php, database dumps
  • Leakage ea tlhahisoleseling: Server version headers, debug mode, stack traces
  • Dikhetho tse tloaelehileng: Live pages tse se nang authentication, liforomo
  • Lits'ebetso tse bulehileng: Lits'ebetso tse sa hlokahalang tse senotsoang ho marangrang
  • Litsela tse relievang: Liforomo tse sa amaneng le CSRF, ho kenya mesebetsi e sa ngologang

Mefokolo e tloaelehileng ka platform:

| Platform | Vulnerability ka sehloohong | Fokotsa | |----------|-----------------------------|---------| | WordPress | Plugins e sa ntlafatsoang | Auto-update + WAF | | Shopify | Litlhoko tse amanang le aps tse ling | Audit app list quarterly | | Next.js | API routes e fumanehang | Auth middleware + rate limiting | | Static sites | CDN e sa lokiselitsoeng | Review cache rules | | Custom | SQL injection | Li-parameterized queries |

K Frequency ea ho skana:

  • Letsatsi le letsatsi: Surface scan e iketsang (SSL, headers, lifayile tse senotseng)
  • Beke le beke: Tlhahlobo ea vulnerability e amanang (npm audit, skanner ea plugin ea WordPress)
  • Beke le beke: Tlhahlobo e tebileng e nang le testing e netefalitsoeng
  • Ka mor'a ho sebelisa: Tlhahlobo ea regression

Phihlelo e potlakileng: Sebelisa npm audit (Node.js) kapa hlahloba lenane la li-plugin tsa CMS ea hau bakeng sa likarolo tse sa ntlafatsoang. Lokisa mathata a bohlokoa/a phahameng ka potlako.

Mixed Content

Mixed content e etsahala ha صفحة ea HTTPS e kenya lisebelisoa (litšoantšo, scripts, mekhoa, liframes) ka HTTP. Sena se senya encryption ka karolo le ho phahamisa liketsiso tse khethiloeng ke li-brausa.

Mefuta ea mixed content:

| Type | Severity | Mohlala | Behavior ea Brausa | |------|----------|---------|---------------------| | Active | High | Script ea HTTP, iframe, CSS | E thibetsoe ka mokhoa o sa tloaelehang | | Passive | Medium | Litšoantšo tsa HTTP, video, audio | E kenngoa ka tahlehelo |

Mixed content e amanang le boitšoaro ba likhonsole tse tloaelehileng — e bolelang hore scripts le mekhoa ea hau e ke ke ea load. Mixed content e amanang le boitšoaro 'me e kenngoa empa e bontša likhothaletso tsa ts'ireletso.

Ho fumana mixed content:

  1. Bula Chrome DevTools → Console
  2. Batla "Mixed Content" likhothaletso
  3. Zae o sebelisa crawler (Screaming Frog, LANGR)

Litsela tse tloaelehileng tsa mixed content:

  • HTTP http:// URLs ho mehato (litlhaku, litlhaloso tsa lihlahisoa)
  • Likhetho tse ling tse emelang HTTP resources
  • Litlhahiso tse embedded (YouTube embeds tse khale, widgets tsa mecha)
  • CSS background-image le HTTP URLs
  • Lifonti tse load e le HTTP

Tlhahlobo ea mixed content:

<!-- Mabe -->
<img src="http://example.com/image.jpg" />

<!-- E nepahetseng -->
<img src="https://example.com/image.jpg" />

<!-- E molemo (protocol-relative, e fetola ho protocol ea page) -->
<img src="//example.com/image.jpg" />

Fix ea database (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Phihlelo e potlakileng: Bula moqolo oa hau ho Chrome, tobetsa F12, hlahloba console tab bakeng sa mixed content warnings. Lokisa metsoalle e fumanehang — tsena li bonahala ho Google ka ho toba.

Third-Party Script Risks

Every external script you load is a potential security (and performance) liability. Third-party scripts can:

  • Be compromised (supply chain attacks)
  • Track your users without consent (GDPR violation)
  • Slow your site (render-blocking, network latency)
  • Break functionality (version updates, outages)
  • Inject unwanted content (ad scripts gone wrong)

Audit your third-party scripts:

| Script | Necessary? | Risk Level | Alternative | |--------|-----------|------------|-------------| | Google Analytics | Often yes | Low | Server-side tracking | | Chat widgets | Maybe | Medium | Self-hosted solutions | | Social share buttons | Rarely | Medium | Static share links | | A/B testing | Sometimes | High | Server-side testing | | Retargeting pixels | Business decision | High | First-party data | | Font CDNs | Convenient | Low | Self-host fonts |

Risk mitigation for essential third-party scripts:

  1. Subresource Integrity (SRI): Hash verification prevents tampered scripts from loading
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Only allow scripts from known domains
  2. Sandboxed iframes: Isolate third-party widgets
  3. Regular audits: Quarterly review of all external resources
  4. Monitoring: Alert on new external domains appearing in your pages

Quick win: List every