In 2014, Google announced HTTPS as a ranking signal. In 2018, Chrome started displaying "Not Secure" for HTTP sites. In 2026, the question is no longer "should we switch to HTTPS?" but "is your HTTPS implementation up to current standards?"
Because the green padlock is no longer enough. A poorly configured SSL certificate, residual mixed content, or the absence of modern security headers send a negative signal — to Google, to browsers, and now to LLMs that evaluate the reliability of your pages before citing them.
HTTPS in 2026: more than just a padlock
HTTPS encrypts the connection between the user's browser and your server. That is the foundation. But in 2026, web security encompasses a much broader ecosystem of signals and protections.
The SSL/TLS certificate is the minimum. Above it layers: HTTP security headers (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security), protection against common attacks (XSS, clickjacking, injection), and compliance with European data protection standards (GDPR, ePrivacy).
According to a Cloudflare analysis (March 2025), European sites that implement a complete suite of security headers have a bounce rate 12% lower than those with only basic HTTPS. The reason: modern browsers use these headers to assess site reliability and adjust the security warnings displayed to the user.
The measurable SEO impact of HTTPS
Let us be honest: in 2026, the direct impact of HTTPS on rankings is marginal for sites that already have it. Google has confirmed it is a "tiebreaker" — with equal content, the HTTPS site will be favoured. But it will not transform a mediocre page into a first-page result.
The real impact is indirect and more significant:
| Signal | SEO impact | AI visibility impact |
|---|---|---|
| Basic HTTPS (valid certificate) | Prerequisite, no additional advantage | Basic trust signal |
| HSTS (HTTP Strict Transport Security) | Improves speed (avoids HTTP to HTTPS redirects) | Reinforces perceived reliability |
| Content Security Policy | Protects against injected malicious content | Advanced signal of a well-maintained site |
| Absence of mixed content | Avoids browser warnings | LLM crawlers refuse mixed content pages |
| EV certificate (Extended Validation) | No measured SEO impact | No measured impact |
Advanced security signals
HSTS (HTTP Strict Transport Security)
HSTS tells browsers to always use HTTPS, even if the user types "http://" in the address bar. Without HSTS, every first visit goes through a 301 redirect from HTTP to HTTPS — adding latency and an unnecessary request. With HSTS, the browser goes directly to HTTPS.
For high-performance websites, HSTS is a quick win: zero cost, zero risk (once you are certain that HTTPS works everywhere), and a measurable performance gain.
Content Security Policy (CSP)
CSP defines which external resources are allowed to execute on your page. It is the best protection against XSS (Cross-Site Scripting) attacks. A well-configured CSP prevents the injection of malicious scripts, even if an attacker finds a vulnerability in your code.
Permissions Policy
Formerly Feature Policy, this header controls which browser APIs your site can use (camera, microphone, geolocation). Disabling unnecessary APIs reduces the attack surface and sends a signal of technical rigour.
HTTPS and LLM trust
Here is an angle that very few articles cover: LLMs use site security as a trust signal. Perplexity's crawlers, OpenAI's robots (GPTBot), and Google's RAG systems treat HTTP and HTTPS sites differently.
Concretely, a plain HTTP site is less likely to be included in sources cited by LLMs. Not because LLMs "understand" security, but because the data collection pipelines filter out unsecured sources as potentially unreliable.
According to Bartosz Goralewicz, CEO of Onely (Poland) and technical SEO expert: "Site security has become a quality signal just like speed. Automated systems — whether search engines or LLMs — use proxies to assess reliability. A valid SSL certificate, security headers, and the absence of mixed content are accessible and reliable proxies."
Implementation checklist
Fundamentals (mandatory)
- Valid SSL/TLS certificate (Let's Encrypt is sufficient)
- 301 redirect from HTTP to HTTPS on all pages
- No mixed content (all resources in HTTPS)
- XML sitemap with HTTPS URLs
- Canonical in HTTPS
- Internal links in HTTPS
Intermediate (recommended)
- HSTS enabled with max-age of at least 1 year (31536000 seconds)
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY or SAMEORIGIN
- Referrer-Policy configured
Advanced (best practice)
- Complete Content Security Policy
- Restrictive Permissions Policy
- Inclusion in the HSTS Preload List
- OCSP Stapling enabled
- TLS 1.3 (disable TLS 1.0 and 1.1)
HTTPS errors that kill your SEO
Residual mixed content. Your page is in HTTPS but loads images, scripts or CSS in HTTP. Browsers display a warning, some resources are blocked, and your Core Web Vitals degrade. Solution: audit all resources with a Screaming Frog crawl and fix each HTTP URL.
Redirect chains. HTTP to HTTPS to www to final page. Each redirect adds latency and potentially dilutes SEO signals. Best practice: a single 301 redirect, directly to the final canonical HTTPS URL.
Expired certificate. An expired SSL certificate completely blocks site access and can deindex your pages within days. Automate renewal with Let's Encrypt or a CDN service like Cloudflare.
Poorly configured canonicals. After migrating to HTTPS, canonical URLs still point to HTTP. Google receives contradictory signals and may index the wrong version. Check every canonical after migration.
For an overview of all technical aspects, see our guide on technical SEO in 2026, and if you are planning to migrate to HTTPS, our migration checklist covers all checkpoints.
FAQ
Is a free SSL certificate (Let's Encrypt) sufficient for SEO?
Yes, absolutely. Google makes no distinction between a free Let's Encrypt certificate and a paid one. The encryption level is identical. Paid certificates (OV, EV) offer additional legal guarantees but have no measured impact on SEO or AI visibility.
Will switching to HTTPS temporarily impact my traffic?
Yes, temporarily. Google considers the HTTP to HTTPS switch as a site migration. Expect volatility of 2 to 4 weeks, with a return to normal if redirects are correctly implemented. Consult our migration checklist to minimise the impact.
How do I detect mixed content on my site?
Three methods: (1) the browser console (F12) displays mixed content warnings, (2) a Screaming Frog crawl filters non-HTTPS resources, (3) the Content-Security-Policy-Report-Only header allows you to receive automated reports of mixed content without blocking resources.
TLS 1.2 or TLS 1.3: which version to use?
TLS 1.3 is recommended. It is faster (1-round-trip handshake instead of 2) and more secure. Almost all modern browsers support it. Disable TLS 1.0 and 1.1, maintain TLS 1.2 as a fallback, and prioritise TLS 1.3 for optimal performance.
Does HTTPS impact loading speed?
The TLS handshake adds a slight latency (10-30ms with TLS 1.3). But this impact is negligible and more than offset by the benefits: HTTPS is a prerequisite for HTTP/2 and HTTP/3, which significantly accelerate loading. An HTTPS site with HTTP/3 will be faster than an HTTP site with HTTP/1.1.
Is HTTPS mandatory under GDPR?
The GDPR does not explicitly mention HTTPS, but it requires the implementation of "appropriate technical measures" to protect personal data (Article 32). In practice, every European data protection authority considers HTTPS a mandatory minimum technical measure whenever personal data is transmitted.
Is your web security up to standard?
Our experts audit your security signals and their impact on your SEO and AI visibility.
Audit my web security
