AldeaCode Logo
es
SEO Does HTTPS Affect SEO Rankings? The Honest 2026 Answer
SEO AldeaCode Architecture

Does HTTPS Affect SEO Rankings? The Honest 2026 Answer

HTTPS is required, security headers help indirectly, mixed content kills you. The 5 security signals that move Google rankings in 2026, plus how to test each.

# SEO Security Ranking Google Trust

What “security as a ranking signal” actually means

Security is not a single ranking factor that Google adds or subtracts from a score. It is a bundle of things. Some of them are direct, like HTTPS. Most are indirect: they affect Core Web Vitals, crawl behavior, user trust signals, and how Google interprets the site overall.

If you came here looking for one header that boosts your ranking, there is no such header. What there is, is a set of practices that prevent your site from being downranked, mistrusted, or quietly ignored. That is what this post is about.

HTTPS first

Google has been ranking HTTPS over HTTP since 2014. In 2026, an HTTP site is basically uncrawlable for serious queries. Chrome marks it as “Not Secure” in the address bar, users bounce in seconds, and Google sees that bounce as a quality signal.

If your site is still on HTTP, nothing else in this post matters yet. Get a certificate first. Most hosts give you one for free now, and if yours does not, move hosts.

A few common cases:

  • Your main domain is HTTPS but www. is not. Both need to work, both need to redirect to one canonical version.
  • Your blog subdomain is HTTPS but assets. or cdn. is not. Subdomains count too.
  • Your site is HTTPS but you load images from an HTTP source. That is mixed content, and we will get to it.

Security headers and Core Web Vitals

Headers like HSTS, CSP, and X-Frame-Options are not direct ranking factors. Google has been clear about this. But they affect Core Web Vitals indirectly, which are direct ranking factors, so the effect is real.

A strict Content-Security-Policy that blocks unknown third-party scripts can improve LCP and CLS in two ways. First, by preventing slow ad scripts and analytics tags from blocking the render. Second, by preventing layout shifts caused by late-arriving widgets that push your content around.

HSTS helps too, in a smaller way. By telling the browser “always use HTTPS for this domain”, you remove the HTTP-to-HTTPS redirect on repeat visits. That is one round trip saved on every page load.

If you are running a Zero Trust frontend architecture, most of these headers are already part of your default config. Good. If not, start with the basics and tighten as you go.

Mixed content

Mixed content is when an HTTPS page loads an HTTP resource. An image, a script, a stylesheet, a font. The browser blocks scripts and stylesheets outright. Images get a warning. Either way, your padlock icon disappears, and Chrome shows “Not Secure” in some form.

Google does not love this. The page still works, but it loses the trust signal that the rest of your HTTPS setup gives it.

To audit, open DevTools, go to the Console, and reload the page. Mixed content shows up as warnings. Or use the Security tab in Chrome DevTools, which lists every resource and its origin. Fix by either upgrading the URL to HTTPS, or hosting the resource yourself.

Certificate health

An expired certificate is worse than no certificate. Browsers show a full-page warning, users bail, and Google notices.

Most modern hosts auto-renew. If you are on Vercel, Cloudflare, Netlify, or a similar platform, your certs renew without you doing anything. Verify this once and then forget about it.

If you manage your own certs, use Let’s Encrypt with Certbot and set up the cron job. Then set a calendar reminder to check the renewal logs once a quarter. A certificate that fails to renew because the cron job died silently is a common ranking emergency.

A few things to watch:

  • The certificate covers all your subdomains, or you have separate certs for each.
  • The certificate uses a current signature algorithm, not something deprecated.
  • The certificate chain is complete, with no missing intermediates. SSL Labs will tell you.

Subdomain coverage

Every subdomain needs its own certificate and HTTPS redirect. A wildcard cert covers all of them at once, which is usually the cleanest setup.

Common gaps:

  • staging.yoursite.com on HTTP because nobody bothered. Search engines find it anyway.
  • An old subdomain like old.yoursite.com still serving content from a previous CMS, on HTTP, with no redirect.
  • A vendor subdomain like email.yoursite.com pointing to a mail provider, with their cert expired or misconfigured.

These are ranking liabilities. Audit your DNS records, list every subdomain, check each one in a browser, fix or kill what does not belong.

Practical security checklist for SEO

If you want a working list to copy:

  • HTTPS on every page, every subdomain, every asset.
  • HSTS header set, ideally with preload once you are confident the site is fully HTTPS.
  • A basic CSP that at minimum sets default-src 'self' and an explicit allowlist for what you actually use.
  • frame-ancestors 'none' (or a specific allowlist) instead of the older X-Frame-Options.
  • Certificates valid, auto-renewing, and covering all subdomains.
  • No mixed content. DevTools Console clean on every template.
  • Security.txt file at /.well-known/security.txt so researchers can report issues.

This is not a complete security policy. It is a baseline that prevents your SEO from suffering for technical reasons.

E-E-A-T and trust signals beyond headers

Google looks at trust signals that are nothing to do with HTTP headers. The E-E-A-T framework (Experience, Expertise, Authoritativeness, Trust) is the umbrella term. In practice it means:

  • Real author info on posts, with a real name, a real bio, and ideally links to a profile or LinkedIn.
  • Real contact info on the site, with a physical address if you have one, and a way to reach a human.
  • A privacy policy that actually describes what you do with user data, not generic boilerplate copied from a template.
  • Terms of service that match how the site actually works.
  • An “About” page that explains who runs the site and why it exists.

These are what tells Google there is a real business behind the site. None of them are headers. None of them get a letter grade from a security scanner. But they all matter for trust, and trust is a ranking signal in the broad sense.

A note on third-party trust scores

Tools like Mozilla Observatory, Security Headers, and SSL Labs give you a letter grade. They are useful as a checklist, not as a ranking metric.

What I mean: a B grade on Security Headers does not mean Google ranks you lower. Google does not check that score. But the things that get you a B (missing CSP, no HSTS, weak referrer policy) might affect Core Web Vitals or trust signals in ways that do affect ranking.

So treat the score as a way to find what is missing, not as a number to optimize. Get to a reasonable grade and move on. The real work is the things that follow from getting that grade: faster pages, fewer third-party leaks, fewer trust warnings.

What to actually do this week

If you want a short version of where to start:

  1. Run your site through Security Headers and SSL Labs. Note what is red.
  2. Open DevTools on three or four key pages and check the Console for mixed content warnings.
  3. List your subdomains and confirm each one is HTTPS with a valid cert.
  4. Check that your certificate auto-renewal is actually running. Look at the last renewal date.
  5. Read your privacy policy. If it is generic boilerplate, rewrite at least the parts that describe your actual data handling.

That is enough to fix most of what could be hurting you for security reasons. None of it is glamorous. All of it matters.

Frequently asked questions

Is HTTPS still a ranking factor in 2026?

Yes. It has been since 2014, and the bar has only gotten higher. An HTTP site is treated as untrustworthy by browsers and effectively invisible for competitive queries.

Does adding a Content-Security-Policy boost my ranking?

Not directly. CSP is not a ranking factor. But a good CSP can improve LCP and CLS by blocking slow third-party scripts, and those are direct ranking factors. The effect is real, just indirect.

My SSL Labs grade is B. Is that hurting my SEO?

Probably not directly. Google does not read SSL Labs grades. But a B usually means something is missing, like HSTS or a modern cipher suite, and those gaps can affect Core Web Vitals or trust signals. Use the grade as a checklist, fix what is flagged, and move on.

What about expired certificates?

An expired cert breaks browsers immediately. Users see a full-page warning and bounce. Google notices the spike in bounce rate and the broken connection on its own crawl. Rankings drop until the cert is reissued. Use auto-renewal so this never happens.

Does Google care about my privacy policy for ranking?

It is part of E-E-A-T, which is part of how Google evaluates the site overall. A real privacy policy that matches what the site does is a trust signal. A copy-pasted generic one is not a positive signal, and on sensitive topics (health, finance) it can hurt.

What we do

Honest sites. No shortcuts.

Real engineering, careful design. Liked the post? Let's talk about your project.

Get in touch →

You might also like

Browse all articles →
SEO

How to Write Alt Text for SEO and Accessibility (Examples)

Write alt text Google ranks and screen readers respect. Good vs bad examples, width, height and srcset rules that boost image SEO without keyword stuffing.

Read article
SEO

Free SEO Tools You Can Use Without an Account (2026)

20+ free SEO tools that work in your browser without signup: slug generator, URL cleaner, contrast checker, alt text helper and more. No login, no upload.

Read article
SEO

How to Write Good URL Slugs for SEO (2026 Guide)

Pick URL slugs that age well: strip accents, use hyphens not underscores, set a Unicode policy and avoid migrations that bleed link equity.

Read article