SEO Guiye Kàddu 7: Aada — Loolu la Google Nagnu ci 2026
SEO Guiye Kàddu 7: Aada
Loolu dafa Kàddu 7 ci 13-Step SEO Guiye. Aada, ëtt mooy jamm jàmp, waaye loolu am na effets ci ay rangoo yu fiñ. Google am na ci HTTPS luy rangoo suñu, te xeex bi neexul.
Njiit ak xibaar yi, jamm, gëstu yépp dafa ànd ak aada bopp: "Naan am na SSL, gëstu nu jamm." Waaye, laata, Google dox na ay jamm yi ànd bye ci yun, aada bopp yu mënul gàttéy. Bokk ak ay aada bopp, jamm jàpp, ak tawk bi, gëstu yi baye ci àduna jamm mbyen, kon njiit yépp nekk lool.
Loolu dafa jàmm: kàddu yépp yu aada bopp am na ay fèpp mbooloo. Waajaloon nañu looy, te am nañu jamm yi mbollo jàpp.
SSL Mànn
SSL (technically TLS) teew na sulf ofi ci sa server ak mbotti yooyu. Suñu yaram yépp, Google teek na HTTPS luy rangoo suñu. Ci 2026, amul HTTPS nekk na luy rangoo — Chrome xet na HTTP site yi ni "Not Secure" ci bopp ngir bopp, mu ñëw jamm.
Maanal yii ngir SSL nga am:
| Maanal | Waati | Naka Mool | |--------|-------|-----------| | Sertifikat bi am nañu | Aam = xibaar àndal = jàpp ditem | Kàttal muslimo | | Mbooloo bu baax | Mbooloo bu màndé ngirun bu xeeñin | Gëstal SSL Labs | | TLS 1.2+ | Noonu yi am na jàmm jàmm | Gëstal SSL Labs | | No SHA-1 | Falu na, web browsers dieen na | Mool yi | | SAN coverage | www ak non-www gëstu nañu yeneen | Mool yi | | Auto-renewal | Adale aada dara falu | Let's Encrypt / provider config |
SSL scoring:
100% = Sertifikat bi am + Mbooloo bu baax + TLS 1.3 + Jamm bopp bu mag + Auto-renew
0% = Sertifikat bi amul/ gàntu
Fépp yooyu ngir SSL:
- Sertifikat bi gàntu bu dund — Teg monitoring (Kàddu 6) ci minit 30 fukk.
- Mbooj bu muy baax — Server bi wara tokk luy mid-month xibaar, mbooñ.
- Yeneen aada — HTTPS page yuy jëfandikoo HTTP resources (images, scripts, stylesheets).
- Redirect loops — HTTP → HTTPS → HTTP yuy jàpp ca mbeur ak CDN/proxy.
- Non-www ak www ak aada — Sertifikat bi joks, waaye fi ak xibaar.
Jàmm bu lool: Pexi sa domain ci SSL Labs (ssllabs.com/ssltest). Nanu ci réew léen lool ci moom ak kàddu. Cees agn gëst wi dafa jàmm.
Aada Bopp
Aada bopp yi mooy ay HTTP response headers yu jox browser yi luy dox gannaaw yéen. Ñu jox jamm ci asaka yi — ak Google am nañu yu jàmm yon.
Dii aada bopp yi:
Content-Security-Policy (CSP)
CSP mooy aada bopp bu mujj doole dafa jamm yi ci yeneen. Mu jox browser yi ay resources yu nuy yéwun (scripts, styles, images, fonts) lu jot ci yéen.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';
Loo CSP jékk:
- X-site scripting (XSS) jàmm
- Data injection jàmm
- Clickjacking (ci
frame-ancestors) - Xibaar ak jëfandikoo looy japp (cryptominers, ad injectors)
CSP deployement strategy:
- Bég ci
Content-Security-Policy-Report-Only(logs violations without blocking) - Mavian yëng ci wee 1-2 at
- Walu legit sources
- Switch ci enforcing mode
- Añu
report-uriwallareport-tongir logging jékk ci yeneen
X-Frame-Options
Mu jox jamm gàttal luy naan ci iframes ci yeneen domains (clickjacking protection).
X-Frame-Options: DENY
Walla so need lu gësté:
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options
Mu jox browser yi give MIME-type sniffing (suxalay ci ci files yuy yeneen types).
X-Content-Type-Options: nosniff
Loolu jàpp na jamm yu jëkk ak ànd, .jpg file mooy aada bopp, fi may lay jëm ci jopper.
Referrer-Policy
Mu jox jàmm yépp gannaaw rawal réew when users japp links ci sa site.
Referrer-Policy: strict-origin-when-cross-origin
Loolu jox na full URL ngir same-origin requests, waaye faj nangu na origin (domain) ngir cross-origin requests. Loolu mënti ana analytics ak privacy.
Permissions-Policy
Mu jox jamm yi browser features (camera, microphone, géolocation, etc.) mën nañu jëfandikoo ci sa site.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Mu tudd mën nañu luy aada ak yeneen mbokk.
Géser dii ay aada (Next.js):
// next.config.js
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
]
}]
}
}
Géser dii ay aada (Apache .htaccess):
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Géser dii ay aada (Nginx):
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Jàmm bu lool: Añu yeneen i aada jii ci sa server configuration. Loolu xam na 5 minit ak jamm luy baax doole jamm ay rakk.
HSTS Preload
HTTP Strict Transport Security (HSTS) mu jox browser yi ngir ànd ngir HTTPS ngir sa domain — ñu dul call ci jëm ci taw. Waaye moom HSTS, ci mbirum yare yépp, ñu du japp bopp boog ci sa site ba ngir jàp HTTPS.
HSTS aada:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Ñaari directives:
| Directive | Waxta | |-----------|-------| | max-age=31536000 | Ndax jëfandikoo ci jaar | | includeSubDomains | Layers sàkku ku kàddu fukki domain | | preload | Wey jëm ci taw browser preload lists |
HSTS preload list:
Iñ li mu jox HSTS protektion. Browser yi dañu nangu mu am bopp ci li xam nekk na luy samay HTTPS. Jàmm sa domain ci hstspreload.org mooy:
- Mbëgi mbiri saëla ak HTTPS thèye mësal ni so xam "HTTP → HTTPS redirect."
- Baax na jàmm tëy jamm.
- Dàkk cayewi csoh “Dëggëe” di bomb nañul ka.
Mbaan ngir HSTS preload:
- SSL cëru bi nagna.
- Redirect yeneen HTTP ngir HTTPS (dengsub).
- HSTS aada ak
max-age>= 31536000. - HSTS aada ak
includeSubDomains. - HSTS aada ak
preload. - Yeneen subdomains yuy djam gañ.
Warning: Fa nanga jëm ci preload so yeneen subdomains jox isthéb. includeSubDomains dalo yi yépp, ci yeneen, deeke.
Jàmm bu lool: So yeneen na HTTPS ci yeneen subdomains, añu tudd HSTS aada bonus te jëndu ci hstspreload.org. Processing mën na ana diiró ak si wàllu.
Tébb Nàxar
Tébb Nàxar ngir jàmm yépp am, muñ nañ, ngir yeneen. Muñ jàpp ci yeneen.
Loolu todavía tokk:
- Tawale jot: WordPress, plugins, JavaScript bars ndax xam nañu CVEs.
- Exposed files:
.env,.git,wp-config.php, database dumps. - Xibaar jàmm: Server version headers, debug mode, stack traces.
- Default credentials: Admin pages yu amul jox yaa, default passwords.
- Services xet: Bàkk na bopp ak server.
- Injection points: Forms jox CSRF protection.
Tébb nàxar ànd aada yi:
| Aada gacce | Top Vulnerability | Fix | |------------|-------------------|-----| | WordPress | Outdated plugins | Auto-update + WAF | | Shopify | Third-party app permissions | Audit app li ginna bazz | | Next.js | Exposed API routes | Auth middleware + rate limiting | | Static sites | CDN misconfiguration | Ticcley cache rules | | Custom | SQL injection | Parameterized queries |
Tébb frequency:
- Ci digg: Automated surface scan (SSL, headers, exposed files).
- Ci jàll: Dependency vulnerability check (npm audit, WordPress plugin scanner).
- Ci kanam: Deep scan with authenticated testing.
- Yoon bi yépp: Regression check.
Jàmm bu lool: Run npm audit (Node.js) walla jox sa CMS plugin list ngir outdated components. Faatool yeneen bopp dafa jàmm.
Mixed Content
Mixed content am na, ba loolu dafa gëstu ci HTTPS. Loolu takh muñ na aada bopp.
Ñaari tür niy mixed content:
| Tür | Waxtal | Yox | Browser Behavior | |------|----------|-----|------------------| | Active | Baax | HTTP script, iframe, CSS | Blocked by default | | Passive | Medium | HTTP image, video, audio | Loaded with warning |
Active mixed content xalaatul browser yi, llamadas, scripts ak styles di nañu baax. Passive mixed content jëm, waaye yëng aada du tudd jàmm.
Fok dii mixed content:
- Jëm chromé DevTools → Console.
- Xool ci "Mixed Content" warnings.
- Fa jëfandikoo, péndi ak wey (Screaming Frog, LANGR).
Yeneen mixed content sources:
- Hardcoded
http://URLs ci content (blog posts, product descriptions). - Tawd bi yuy jox HTTP resources.
- Embedded content (YouTube old embeds, social media widgets).
- CSS
background-imagewalla HTTP URLs. - Fonts luy jap dafa jëfam.
Fixing mixed content:
<!-- Baax -->
<img src="http://example.com/image.jpg" />
<!-- Baax -->
<img src="https://example.com/image.jpg" />
<!-- Beyl (protocol-relative, adapts to page protocol) -->
<img src="//example.com/image.jpg" />
Database fix (WordPress):
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');
Jàmm bu lool: Fekk sa homepage ci Chrome, tuuru F12, xool Consoletab ci mixed content warnings. Batchol yeneen.
Third-Party Scripts Risks
Yeneen scripts yu maanu ci sa server mooy ay ndogalu jamm (ak performance). Third-party scripts mën nañu:
- Jàpp ci boroom (supply chain attacks).
- Faat nañu yeneen (GDPR violation).
- Koy kàddi sa bu or (read-back).
- Muñ ne yeneen (version updates, outages).
- Baju gàtti (ad scripts).
Audit sa third-party scripts:
| Script | Jamm? | Waxtal | Alternative | |--------|--------|---------|-------------| | Google Analytics | Jàmm walla | Baax | Server-side tracking | | Chat widgets | Ndax | Medium | Self-hosted solutions | | Social share buttons | Rar | Medium | Static share links | | A/B testing | Jàmm | Baax | Server-side testing | | Retargeting pixels | рзы xam | Jàmm | First-party data | | Font CDNs | Suñuy baa | Baax | Self-host fonts |
Risk mitigation ngir yeneen types:
- Subresource Integrity (SRI): Hash verification moom, dafa yeneen.
<script src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
crossorigin="anonymous"></script>
- CSP restrictions: Dañoo jamm yépp.
- Sandboxed iframes: Gëstu bopp.
- Regular audits: Ginnaye di gisol ci yeneen.
- Monitoring: Alert on excessive domains appearing.
Jàmm bu lool: Nangu yeréñ yeneen tag ci sa HTML bi yuy load ci yeneen domains. Jege yeneen yuy fëgg.
Malware Detection & Google Safe Browsing
Google atul foñ a atengna ci sites màngiy indigo àlè ngal nañu. Moom kom abus, xam ni: Google displays a full-page warning before allowing users to visit your site.
Fok nañu site yi:
- Jàmm site yi.
- Injected scripts jàpp.
- User-generated content linking to malware.
- Hosting files flagged as dangerous.
Cek sa Safe Browsing status:
https://transparencyreport.google.com/safe-browsing/search?url=yourdomain.com
Walla ci Google Search Console: Security Issues section.
Prevention:
- Keep all software updated (CMS, plugins).
- Jàmm ngay ci bopp ak 2FA.
- Monitoring file integrity.
- Jàmm user-uploaded content.
- Xool yeneen plugins/themes.
- Jàmm yenn user admin yépp.
So yéen wéy:
- Wàc yëng jàmm.
- Jëfandikoo yeneen yëng jàmm.
- Request review ci Google Search Console.
- Valle fuk ka réexku.
- Monitoring jow yëng (re-infection nañu).
Jàmm bu lool: Xool sa site ci transparencyreport.google.com. So jàmm, jékk CMS ak yeneen plugins yo jëfandikoo ci.
Aada Aada SEO
- [ ] Sertifikat bi am nañu ngir jàmm.
- [ ] HTTP → HTTPS redirect ci ay pages yépp (301, du 302).
- [ ] HSTS aada with max-age >= 31536000.
- [ ] Content-Security-Policy aada jëfandikoo.
- [ ] X-Content-Type-Options: nosniff.
- [ ] X-Frame-Options: DENY walla SAMEORIGIN.
- [ ] Referrer-Policy: strict-origin-when-cross-origin.
- [ ] Permissions-Policy disabling unused features.
- [ ] No mixed content (HTTP resources on HTTPS pages).
- [ ] No sensitive files exposed (.env, .git, config files).
- [ ] Server version headers removed or generic.
- [ ] Ay software/plugins yépp yo am na fukk.
- [ ] Google Safe Browsing status: clean.
- [ ] Third-party scripts audited ak gna.
- [ ] SRI hashes luy yëng sa script.
Yeneen Jamm bëggal bu lool (Ranked by SEO Impact)
- Expired SSL certificate — Immediate ranking drop + browser warning.
- Mixed content — Degrades trust signals, partial encryption useless.
- No HSTS — First request vulnerable, signals weak security posture.
- Missing CSP — Allows any script to execute (XSS vector).
- Exposed sensitive files —
.envwith API keys,.gitwith source code. - Outdated CMS/plugins — Known exploits, eventual compromise.
- No security headers at all — Signals you haven't considered security.
- Over-permissive third-party scripts — Security holes you can't control.
Looñ?
Kàddu 8: AI Mësum — Ɲaari ay SEO ci 2026. Naka ngir jëfandikoo ngir Google AI Overview, ChatGPT citations, Perplexity references, ak Gemini.
Loolu mooy jàmm bi ginaaw LANGR's 13-step SEO series. Run a free audit ngir xool ci gannaaw sa site ci yenn 13 disciplines.