HTTPS is a Google ranking factor. Discover how to secure your site and protect your visitors with web security best practices.
Since 2014, Google uses HTTPS as a ranking signal. An unsecured site (HTTP) is penalized in search results and displayed with a "Not Secure" warning in Chrome, which drives visitors away.
Beyond HTTPS, security headers protect your site against attacks (XSS, clickjacking, injection) and strengthen the trust of users and search engines.
The SSL certificate encrypts communications between the user's browser and your server. It activates the HTTPS protocol and displays the padlock in the address bar.
Secure connection - Valid certificate
HSTS forces the browser to always use HTTPS for your domain, preventing man-in-the-middle attacks and HTTP to HTTPS redirects.
Recommended configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
CSP controls which resources can be loaded on your page. It's the most effective protection against XSS attacks (Cross-Site Scripting).
Basic example:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
Prevents your site from being embedded in an iframe on another domain, protecting against clickjacking attacks.
Recommended configuration:
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Prevents the browser from guessing MIME type
X-XSS-Protection: 1; mode=block
Activates browser XSS filter
Referrer-Policy: strict-origin-when-cross-origin
Controls referrer information sent
Permissions-Policy: geolocation=(), microphone=()
Controls access to browser APIs
Our tool automatically analyzes your site's security and gives you a detailed score with recommendations to improve your protection.