Skip to main content
Back to blog

Umhlahlandlela we-SEO Isinyathelo 7: Ukuphepha — I-Baseline e-Google Elindele Ku-2026

·11 min read·by LANGR SEO

Umhlahlandlela we-SEO Isinyathelo 7: Ukuphepha

Lolu isinyathelo 7 sohlelo lwe- 13-Step SEO Guide. Ukuphepha akukhona nje kuphela ukuvikela abasebenzisi — kuthinta ngqo izikhala zakho zokusesha. I-Google isebenzise i-HTTPS njengezimpawu zokuhlola ezivela ngo-2014, futhi okulindelwe sekuqhubekela phambili.

Abaningi ababukhali be-web bacabanga ukufaka ukuphepha njenge-binary: "Sine-SSL, ngakho-ke sigcwele impumelelo." Empeleni, i-Google ibheka izigidi zezimpawu zokuphepha. Amawebhusayithi anemikhanda yokuphepha efanele, ama-cerificate alungile, kanye nokungabi nakho okuhlanganisiwe abanga phezulu kumasayithi anezitifiketi ze-SSL ezilula — konke kulingana.

Izindaba ezinhle: izixazululo eziningi zokuphepha zisetshenziselwa ukuhlonza kuphela. Zibeke kanye, futhi zivikele izikhala zakho ngokuqhubekayo.

Ukusethwa kwe-SSL

I-SSL (technically TLS) ifihla uxhumano phakathi kwesiphakeli sakho nabavakashi. Kusukela ngo-2014, i-Google iqinisekisile i-HTTPS njengemiyalezo yokuhlola. Ku-2026, ukungabi ne-HTTPS akukhona nje kuphela udaba lwesikhala — i-Chrome ibonisa amawebhusayithi e-HTTP njenge "Ayivikelekile" ebhakhodweni lokuhamba, ibhubhisa ukwethenjelwa kwabavakashi.

Imfuneko yokusetha kahle i-SSL:

| Imfuneko | Kungani | Indlela Yokuhlola | |----------|---------|------------------| | I-Certificate efanele | Isebenze = isixwayiso se-browser = abavakashi abahambile | Hlola usuku lokuphelelwa | | Uhlaka oluphelele | Uhlaka olungaphelele luphumelela kwezinye izinsiza | Isivivinyo se-SSL Labs | | TLS 1.2+ | Izinhlobo ezindala zinezinselelo ezaziwayo | Isivivinyo se-SSL Labs | | Akukho SHA-1 | Okukhishwe, ama-browser ayakuphika | Imininingwane ye-certificate | | Ukuqasha kwe-SAN | www kanye ne-non-www kumele kube kwakhiwe | Imininingwane ye-certificate | | Ukuzenzakalelayo | Kuvikela ezinhlekweni zokuphelelwa | Let's Encrypt / ukusetha komhlinzeki |

Ukuhluza kwe-SSL:

100% = Cert efanele + Uhlaka oluphelele + TLS 1.3 + Umklami oqinile + Ukuzenzakalelayo
  0% = I-Certificate eyiphelile noma elahlekile

Imiphumela ejwayelekile ye-SSL:

  1. I-Certificate iphelile ngaphandle kwesaziso — Hlela ukulandelela (Isinyathelo 6) okungenani ezinsukwini eziyi-30 ngaphambi kokuphelelwa
  2. Uhlaka lwe-certificate olungaphelele — Iseva kufanele ithumele ama-certificate okuphakathi, hhayi kuphela i-leaf
  3. Okuhlanganisiwe — Ikhasi le-HTTPS lishayela izinsiza ze-HTTP (izithombe, izikhumbuzo, amafayela we-styles)
  4. Izingxube zokuhudula — I-HTTP → HTTPS → I-HTTP izigaba ezibangela ukusethwa kwe-CDN / iproxy
  5. Ukungafani phakathi kwe-non-www ne-www — I-Certificate ifaka eyodwa kodwa hhayi eminye

Isixazululo esisheshayo: Qhubeka nale domain yakho kwi-SSL Labs (ssllabs.com/ssltest). Noma yini ethathwe ngaphansi kuka "A" inezinkinga ezibhekelekile. Abahlinzeki abaningi be-hosting balungisa lokhu ngeklikhi eyodwa.

Amakhanda Okuphepha

Amakhanda okuphepha angama-header ezimpendulo ze-HTTP aqondisa ama-browser ukuthi aziphatha kanjani lapho ilayisha iwebhusayithi yakho. Abavimbela zonke izinhlobo zezigameko — futhi ama-crawler e-Google alandelela lezi zinto.

Amakhanda okuphepha abalulekile:

Umgomo Wokuqukethwe-Kuphepha (CSP)

I-CSP iyinhloko yokuphepha ehamba phambili. Itheha ama-browser ukuthi yiziphi izinsiza (izikhumbuzo, izitayela, izithombe, amafomethi) ezivunyelwe ukuhamba kumakhasi akho.

Umgomo-Wokuqukethwe-Kuphepha: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

Okuphephile okuzivimbela nge-CSP:

  • Iziqhumane ze-cross-site (XSS)
  • Izinsongo ze-data injection
  • Ukudlalwa kokuqukethwe (ngokusebenzisa frame-ancestors)
  • Ukuqhutshwa kwe-script okungagunyaziwe (aba-cryptominers, izinjini zokufaka)

Uhlelo lokufaka i-CSP:

  1. Qala nge-Content-Security-Policy-Report-Only (ibika ukuphulwa ngaphandle kokuvimbela)
  2. Bheka imibiko okwesikhathi esingu-1-2 weeks
  3. Faka ezinsizeni ezivumelekile
  4. Shintsha kumodi yokufaka
  5. Faka report-uri noma report-to ukuze uqhubeke nokubika ukuphulwa

X-Frame-Options

IVikela indawo yakho ekubeni iboniswe ngama-ifames emadomeni ahlukene (ukuze uvikelekile kokudlala).

X-Frame-Options: DENY

Noma uma udinga ukuvumela ukufaka okwenziwa ngendlela efanayo:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Ivimbela ama-browser ekuhloleni uhlobo lwe-MIME (ukwazisa amafayela njengezinhlobo ezihlukile kunalezi ezibekwe).

X-Content-Type-Options: nosniff

Le ngxenye ivimbela izinsongo lapho ifayela le-.jpg liqukethe i-JavaScript efihliwe engase igijime kuma-browser.

Referrer-Policy

Ilandela ukuthi kuzodingeka ulwazi oluningi lwe-referrer lapho abasebenzisi bekhomba izixhumanisi ezivela kwiwebhusayithi yakho.

Referrer-Policy: strict-origin-when-cross-origin

Lokhu kuthuma i-URL ephelele yamacela we-same-origin kodwa kuphela yisizinda (domain) ye-cors. Kubalansela izidingo ze-analytics nezokuphepha.

Permissions-Policy

Ilawula ukuthi lezi zici ze-browser (ikhamera, i-microphone, i-geolocation, njll) zingasetshenziswa njani kwi-webhusayithi yakho.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Ukukhipha izici ongazisebenzisi kuvimbela ama-script angaphandle ekubeni azisebenzise.

Isibonelo sokufaka imikhanda (Next.js):

// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
      ]
    }]
  }
}

Isibonelo sokufaka imikhanda (Apache .htaccess):

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Isibonelo sokufaka imikhanda (Nginx):

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Isixazululo esisheshayo: Engeza yonke imikhanda emihlanu engenhla kuhlelo lwakho lwe-server. Lokhu kuthatha imizuzu emihlanu futhi kukhuphule ngokuphelele ukuphepha kwakho kunoma iyiphi ithuluzi lokuhlola.

I-HSTS Preload

HTTP Strict Transport Security (HSTS) itheha ama-browser ukuthi ahlale esebenzisa i-HTTPS ye-domain yakho — ngisho nangaphambi kokuya kwangempela. Ngaphandle kwe-HSTS, ukuvakashelwa kokuqala kwi-website yakho kungase kusebenzise i-HTTP (kuvulnerable ekuphuleni) ngaphambi kokukweqa ku-HTTPS.

I-HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Iziqondiso ezintathu:

| Iziqondiso | Incazelo | |------------|----------| | max-age=31536000 | Khumbula lokhu isikhathi esiyiyear (ngemizuzwana) | | includeSubDomains | Sebenzisa kuyo yonke imikhakha | | preload | Cela ukufakwa ezihlanganisweni ze-browser preload |

Uhlu lwe-HSTS preload:

Ukuvikeleka okuphezulu kwe-HSTS. Ama-browser aphethe uhlu lwemikhakha ethile edinga ngaso sonke isikhathi ukuba kuqinisekiswe i-HTTPS. Ukufaka i-domain yakho ku-hstspreload.org kusho:

  • Abavakashi besikhathi sokuqala bathola i-HTTPS masisha (akukho HTTP → HTTPS redirect)
  • Kunzima kakhulu kwabahlaseli ukufaka phansi izixhumi
  • Okungapheli (kunzima ukuhambisa uma sekwenzekile)

Imfuneko ze-HSTS preload:

  1. I-certificate ye-HTTPS efezile
  2. Khetha wonke ama-HTTP ku-HTTPS (kanye nemikhakha)
  3. I-HSTS header enezinhloso max-age >= 31536000
  4. I-HSTS header ifaka includeSubDomains
  5. I-HSTS header ifaka preload
  6. Zonke imikhakha kumele kusebenzise i-HTTPS

Isixwayiso: Faka kuphela ku-preload uma zonke imikhakha yakho isekela i-HTTPS. Iziqondiso ze-includeSubDomains zisho noma iyiphi imikhakha ye-HTTP kuphela izowela ingatholakali.

Isixazululo esisheshayo: Uma usunayo i-HTTPS kuzo zonke imikhakha, engeza i-HSTS header ephelele bese uthumela ku-hstspreload.org. Uku обработляется kuthatha amasonto ambalwa kodwa ukuvikeleka kube kuqhubekayo.

Ukuhlolela Izinkinga

Ukuhlolela izinkinga okuzenzakalelayo kuthola izinkinga zokuphepha ezaziwayo kumgogodla wakho ngaphambi kokuba abaleki bakwazi ukuziqhamukela.

Okuthola ukuhlolela izinkinga:

  • Isofthiwe eshesha: WordPress, ama-plugins, ama-libraries e-JavaScript anama-CVEs azwiwe
  • Amafayela avulekile: .env, .git, wp-config.php, ukugcinwa kwedatha
  • Ubulukhuni bolwazi: Amakhanda ezinguqulo ze-server, imodi ye-debug, izizinda ze-stack
  • Imikhawulo ejwayelekile: Amakhasi okubhala ngaphandle kwe-auth, ama-passwords ajwayelekile
  • Amaphothi/izinsizakalo ezivulekile: Izinsiza ezingadingekile ezivuleleka kwi-intanethi
  • Izikhala zokufaka: Ifomu ngaphandle kokuvikela i-CSRF, ukubuyekeza okungaqinisekisiwe

Izinkinga ezivamile ngezinyathelo:

| Iphlaqho | Ukweqisa Okuphakeme | Ukulungisa | |----------|----------------------|------------| | WordPress | I-plugins ezindala | Ukuzenzakalelayo + WAF | | Shopify | Imvume ye-app yesithathu | Ukuhlola uhlu lwe-app ngokwenyanga | | Next.js | Ama-API angu-open | Qinisekisa kwesithombe + umkhawulo wezinga | | Amawebhusayithi alula | Ukulungisa kwi-CDN | Bheka imithetho ye-cache | | Ngokwezifiso | Ukuhlohla i-SQL | Ukubhaliswa kwe-parameter |

Imvamisa yokuhlola:

  • Nsuku zonke: Ukuhlola okuzenzakalelayo (SSL, amakhanda, amafayela avulekile)
  • Eviki le: Ukuhlola izinkinga zokuncika (npm audit, umhloli we-plugin ye-WordPress)
  • Ngokwenyanga: Ukuhlola okujulile kokuhlola okuqinisekisiwe
  • Ngemuva kokuphuma: Ukuhlola ukuhlinzeka

Isixazululo esisheshayo: Qhubeka ne-npm audit (Node.js) noma hlola uhlu lwama-plugin e-CMS yakho ukuze ubone izigaba ezindala. Lungisa izinkinga eziphuthumayo futhi eziphezulu ngempela.

Okuhlanganisiwe

Okuhlanganisiwe kwenzeka lapho ikhasi le-HTTPS likhipha izinsiza (izithombe, izikhumbuzo, amafayela we-styles, ama-iframe) nge-HTTP. Lokhu kusebenza ngaphezulu okuphuca ukufihlwa futhi kubangela izixwayiso ze-browser.

Izinhlobo zokuhlanganiswa:

| Uhlobo | Ukuqina | Isibonelo | Ukusebenza kwe-Browser | |--------|---------|-----------|------------------------| | Active | High | I-script ye-HTTP, iframe, CSS | Ivinywa ngokuzenzakalelayo | | Passive | Medium | Isithombe se-HTTP, ividiyo, umsindo | Ilayishwa ngezixwayiso |

Okuhlanganisiwe okuphakeme kulandelwa ama-browser amanje — okusho ukuthi izikhumbuzo zakho nezinye izinsiza ngeke zivele. Ukuhlanganiswa okuphathelene nokwakhiwa kuyalayishwa kodwa kubonisa izixwayiso zokuphepha.

Ukuthola okuhlanganisiwe:

  1. Vula i-Chrome DevTools → Console
  2. Bheka "Okuhlanganisiwe" izixwayiso
  3. Noma kunjalo, skan ngemaphakathi (Screaming Frog, LANGR)

Izizinda ezivamile zokuhlanganiswa:

  • Izixhumanisi ezibhalwe ngokuqondile http:// kumqulu (izincwadi zebhlog, incazelo yomkhiqizo)
  • Ama-widgets angaphandle akhipha izinsiza ze-HTTP
  • Okuqukethwe okwedlulelayo (amahlanganisi afana ne-YouTube amadala, ama-widget wezokuxhumana)
  • CSS background-image enezixhumanisi ze-HTTP
  • Amafonte akhishwa nge-HTTP

Ukulungisa okuhlanganiswe:

<!-- Kubi -->
<img src="http://example.com/image.jpg" />

<!-- Kulungile -->
<img src="https://example.com/image.jpg" />

<!-- Okungcono kakhulu (protocol-relative, kuyahambelana nesixhumanisi se-page) -->
<img src="//example.com/image.jpg" />

Ukulungiswa kwe-database (WordPress):

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');

Isixazululo esisheshayo: Vula ikhasi lakho lasekhaya kwi-Chrome, cindezela u-F12, futhi hlola ithebhu ye-Console ukuze ubone izixwayiso zokuhlanganiswa. Lungisa noma yiziphi ezivela — lezi zibonakalisa ngokuqondile kwi-Google.

Izingozi ze-Script zeze-Mphakathi

Noma isiphi i-script esikhiphayo esingaphandle kungenza kube nengozi yokuphepha (nokusebenza). Izinkanyezi ezikhethiwe zingaba:

  • Ziphukile (izingozi zokuhweba)
  • Ziyabhalela abasebenzisi bakho ngaphandle kwemvume (ukwephula i-GDPR)
  • Zikhuphula iwebhusayithi yakho (ukubhalisa okuvimbela, ukuvama kokuxhumana)
  • Phula ukusebenza (okuthuthuka kwamaholo, ukungafinyeleli)
  • Faka okuqukethwe okungekho emthethweni (ama-script okuphawula avele asho)

Hlola izinkanyezi zakho ezikhethiwe:

| I-Script | Iyadingeka? | Izinga Lezingozi | Okunye | |----------|-------------|------------------|--------| | I-Google Analytics | Njalo | Low | Ukulandelela nge-server | | Ama-widgets wokukhuluma | Mhlawumbe | Medium | Izixazululo ezi-self-hosted | | Ama-buttons okuhamba kwesimo | Ukwejwayele | Medium | Izixhumanisi ezilula zokuhamba | | I-B/A yokuhlola | Kwezinye izikhathi | High | Ukuhlola nge-server | | Ama-pixels okulandela | Isinqumo sebhizinisi | High | Idatha yokuqala | | Amafonti ama-CDN | Kulula | Low | Amafonte we-self-host |

Izinyathelo zokuvikela izinkanyezi ezikhethiwe eziyisisekelo:

  1. I-Subresource Integrity (SRI): Ukuqinisekiswa kwama-hash kuvimbela ama-script akwaziyo ukumoshwa
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
        crossorigin="anonymous"></script>
  1. I-CSP restrictions: Vumela kuphela ama-script avela kumadomain azwakalayo
  2. Ama-iframe avikelwe: Iseba ama-widgets angaphandle
  3. Ukubuyekezwa okujwayelekile: Ukuhlola njalo yonke imithombo yangaphandle
  4. Ukuqapha: Qaphela ama-domain angaphandle amasha aphuma kumakhasi akho

Isixazululo esisheshayo: Bhalela yonke i-