Skip to main content
Back to blog

SEO Guiye Kàddu 7: Aada — Loolu la Google Nagnu ci 2026

·11 min read·by LANGR SEO

SEO Guiye Kàddu 7: Aada

Loolu dafa Kàddu 7 ci 13-Step SEO Guiye. Aada, ëtt mooy jamm jàmp, waaye loolu am na effets ci ay rangoo yu fiñ. Google am na ci HTTPS luy rangoo suñu, te xeex bi neexul.


Njiit ak xibaar yi, jamm, gëstu yépp dafa ànd ak aada bopp: "Naan am na SSL, gëstu nu jamm." Waaye, laata, Google dox na ay jamm yi ànd bye ci yun, aada bopp yu mënul gàttéy. Bokk ak ay aada bopp, jamm jàpp, ak tawk bi, gëstu yi baye ci àduna jamm mbyen, kon njiit yépp nekk lool.

Loolu dafa jàmm: kàddu yépp yu aada bopp am na ay fèpp mbooloo. Waajaloon nañu looy, te am nañu jamm yi mbollo jàpp.

SSL Mànn

SSL (technically TLS) teew na sulf ofi ci sa server ak mbotti yooyu. Suñu yaram yépp, Google teek na HTTPS luy rangoo suñu. Ci 2026, amul HTTPS nekk na luy rangoo — Chrome xet na HTTP site yi ni "Not Secure" ci bopp ngir bopp, mu ñëw jamm.

Maanal yii ngir SSL nga am:

| Maanal | Waati | Naka Mool | |--------|-------|-----------| | Sertifikat bi am nañu | Aam = xibaar àndal = jàpp ditem | Kàttal muslimo | | Mbooloo bu baax | Mbooloo bu màndé ngirun bu xeeñin | Gëstal SSL Labs | | TLS 1.2+ | Noonu yi am na jàmm jàmm | Gëstal SSL Labs | | No SHA-1 | Falu na, web browsers dieen na | Mool yi | | SAN coverage | www ak non-www gëstu nañu yeneen | Mool yi | | Auto-renewal | Adale aada dara falu | Let's Encrypt / provider config |

SSL scoring:

100% = Sertifikat bi am + Mbooloo bu baax + TLS 1.3 + Jamm bopp bu mag + Auto-renew
  0% = Sertifikat bi amul/ gàntu

Fépp yooyu ngir SSL:

  1. Sertifikat bi gàntu bu dund — Teg monitoring (Kàddu 6) ci minit 30 fukk.
  2. Mbooj bu muy baax — Server bi wara tokk luy mid-month xibaar, mbooñ.
  3. Yeneen aada — HTTPS page yuy jëfandikoo HTTP resources (images, scripts, stylesheets).
  4. Redirect loops — HTTP → HTTPS → HTTP yuy jàpp ca mbeur ak CDN/proxy.
  5. Non-www ak www ak aada — Sertifikat bi joks, waaye fi ak xibaar.

Jàmm bu lool: Pexi sa domain ci SSL Labs (ssllabs.com/ssltest). Nanu ci réew léen lool ci moom ak kàddu. Cees agn gëst wi dafa jàmm.

Aada Bopp

Aada bopp yi mooy ay HTTP response headers yu jox browser yi luy dox gannaaw yéen. Ñu jox jamm ci asaka yi — ak Google am nañu yu jàmm yon.

Dii aada bopp yi:

Content-Security-Policy (CSP)

CSP mooy aada bopp bu mujj doole dafa jamm yi ci yeneen. Mu jox browser yi ay resources yu nuy yéwun (scripts, styles, images, fonts) lu jot ci yéen.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none'; 

Loo CSP jékk:

  • X-site scripting (XSS) jàmm
  • Data injection jàmm
  • Clickjacking (ci frame-ancestors)
  • Xibaar ak jëfandikoo looy japp (cryptominers, ad injectors)

CSP deployement strategy:

  1. Bég ci Content-Security-Policy-Report-Only (logs violations without blocking)
  2. Mavian yëng ci wee 1-2 at
  3. Walu legit sources
  4. Switch ci enforcing mode
  5. Añu report-uri walla report-to ngir logging jékk ci yeneen

X-Frame-Options

Mu jox jamm gàttal luy naan ci iframes ci yeneen domains (clickjacking protection).

X-Frame-Options: DENY

Walla so need lu gësté:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Mu jox browser yi give MIME-type sniffing (suxalay ci ci files yuy yeneen types).

X-Content-Type-Options: nosniff

Loolu jàpp na jamm yu jëkk ak ànd, .jpg file mooy aada bopp, fi may lay jëm ci jopper.

Referrer-Policy

Mu jox jàmm yépp gannaaw rawal réew when users japp links ci sa site.

Referrer-Policy: strict-origin-when-cross-origin

Loolu jox na full URL ngir same-origin requests, waaye faj nangu na origin (domain) ngir cross-origin requests. Loolu mënti ana analytics ak privacy.

Permissions-Policy

Mu jox jamm yi browser features (camera, microphone, géolocation, etc.) mën nañu jëfandikoo ci sa site.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Mu tudd mën nañu luy aada ak yeneen mbokk.

Géser dii ay aada (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Géser dii ay aada (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Géser dii ay aada (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Jàmm bu lool: Añu yeneen i aada jii ci sa server configuration. Loolu xam na 5 minit ak jamm luy baax doole jamm ay rakk.

HSTS Preload

HTTP Strict Transport Security (HSTS) mu jox browser yi ngir ànd ngir HTTPS ngir sa domain — ñu dul call ci jëm ci taw. Waaye moom HSTS, ci mbirum yare yépp, ñu du japp bopp boog ci sa site ba ngir jàp HTTPS.

HSTS aada:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Ñaari directives:

| Directive | Waxta | |-----------|-------| | max-age=31536000 | Ndax jëfandikoo ci jaar | | includeSubDomains | Layers sàkku ku kàddu fukki domain | | preload | Wey jëm ci taw browser preload lists |

HSTS preload list:

Iñ li mu jox HSTS protektion. Browser yi dañu nangu mu am bopp ci li xam nekk na luy samay HTTPS. Jàmm sa domain ci hstspreload.org mooy:

  • Mbëgi mbiri saëla ak HTTPS thèye mësal ni so xam "HTTP → HTTPS redirect."
  • Baax na jàmm tëy jamm.
  • Dàkk cayewi csoh “Dëggëe” di bomb nañul ka.

Mbaan ngir HSTS preload:

  1. SSL cëru bi nagna.
  2. Redirect yeneen HTTP ngir HTTPS (dengsub).
  3. HSTS aada ak max-age >= 31536000.
  4. HSTS aada ak includeSubDomains.
  5. HSTS aada ak preload.
  6. Yeneen subdomains yuy djam gañ.

Warning: Fa nanga jëm ci preload so yeneen subdomains jox isthéb. includeSubDomains dalo yi yépp, ci yeneen, deeke.

Jàmm bu lool: So yeneen na HTTPS ci yeneen subdomains, añu tudd HSTS aada bonus te jëndu ci hstspreload.org. Processing mën na ana diiró ak si wàllu.

Tébb Nàxar

Tébb Nàxar ngir jàmm yépp am, muñ nañ, ngir yeneen. Muñ jàpp ci yeneen.

Loolu todavía tokk:

  • Tawale jot: WordPress, plugins, JavaScript bars ndax xam nañu CVEs.
  • Exposed files: .env, .git, wp-config.php, database dumps.
  • Xibaar jàmm: Server version headers, debug mode, stack traces.
  • Default credentials: Admin pages yu amul jox yaa, default passwords.
  • Services xet: Bàkk na bopp ak server.
  • Injection points: Forms jox CSRF protection.

Tébb nàxar ànd aada yi:

| Aada gacce | Top Vulnerability | Fix | |------------|-------------------|-----| | WordPress | Outdated plugins | Auto-update + WAF | | Shopify | Third-party app permissions | Audit app li ginna bazz | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Ticcley cache rules | | Custom | SQL injection | Parameterized queries |

Tébb frequency:

  • Ci digg: Automated surface scan (SSL, headers, exposed files).
  • Ci jàll: Dependency vulnerability check (npm audit, WordPress plugin scanner).
  • Ci kanam: Deep scan with authenticated testing.
  • Yoon bi yépp: Regression check.

Jàmm bu lool: Run npm audit (Node.js) walla jox sa CMS plugin list ngir outdated components. Faatool yeneen bopp dafa jàmm.

Mixed Content

Mixed content am na, ba loolu dafa gëstu ci HTTPS. Loolu takh muñ na aada bopp.

Ñaari tür niy mixed content:

| Tür | Waxtal | Yox | Browser Behavior | |------|----------|-----|------------------| | Active | Baax | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded with warning |

Active mixed content xalaatul browser yi, llamadas, scripts ak styles di nañu baax. Passive mixed content jëm, waaye yëng aada du tudd jàmm.

Fok dii mixed content:

  1. Jëm chromé DevTools → Console.
  2. Xool ci "Mixed Content" warnings.
  3. Fa jëfandikoo, péndi ak wey (Screaming Frog, LANGR).

Yeneen mixed content sources:

  • Hardcoded http:// URLs ci content (blog posts, product descriptions).
  • Tawd bi yuy jox HTTP resources.
  • Embedded content (YouTube old embeds, social media widgets).
  • CSS background-image walla HTTP URLs.
  • Fonts luy jap dafa jëfam.

Fixing mixed content:

<!-- Baax -->
<img src="http://example.com/image.jpg" />

<!-- Baax -->
<img src="https://example.com/image.jpg" />

<!-- Beyl (protocol-relative, adapts to page protocol) -->
<img src="//example.com/image.jpg" />

Database fix (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Jàmm bu lool: Fekk sa homepage ci Chrome, tuuru F12, xool Consoletab ci mixed content warnings. Batchol yeneen.

Third-Party Scripts Risks

Yeneen scripts yu maanu ci sa server mooy ay ndogalu jamm (ak performance). Third-party scripts mën nañu:

  • Jàpp ci boroom (supply chain attacks).
  • Faat nañu yeneen (GDPR violation).
  • Koy kàddi sa bu or (read-back).
  • Muñ ne yeneen (version updates, outages).
  • Baju gàtti (ad scripts).

Audit sa third-party scripts:

| Script | Jamm? | Waxtal | Alternative | |--------|--------|---------|-------------| | Google Analytics | Jàmm walla | Baax | Server-side tracking | | Chat widgets | Ndax | Medium | Self-hosted solutions | | Social share buttons | Rar | Medium | Static share links | | A/B testing | Jàmm | Baax | Server-side testing | | Retargeting pixels | рзы xam | Jàmm | First-party data | | Font CDNs | Suñuy baa | Baax | Self-host fonts |

Risk mitigation ngir yeneen types:

  1. Subresource Integrity (SRI): Hash verification moom, dafa yeneen.
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. CSP restrictions: Dañoo jamm yépp.
  2. Sandboxed iframes: Gëstu bopp.
  3. Regular audits: Ginnaye di gisol ci yeneen.
  4. Monitoring: Alert on excessive domains appearing.

Jàmm bu lool: Nangu yeréñ yeneen