Google has made another show of support for HTTPS.

Google’s Zineb Ait Bahajji announced that Google would start crawling HTTPS pages over HTTP versions. They would do so even “when the former are not linked to from any page.” So even if you don’t have HTTPS versions of all the pages of your site, Google is going to look for them first anyway.

When Will Google Choose to Index the HTTPS URL?

Like everything else it thinks is important, Google has set rules in place to govern when it indexes the HTTPS version of a site. Here’s the full list of rules where Google will choose the HTTPS page over the HTTP page:

  • It doesn’t contain insecure dependencies.

  • It isn’t blocked from crawling by robots.txt.

  • It doesn’t redirect users to or through an insecure HTTP page.

  • It doesn’t have a rel=”canonical” link to the HTTP page.

  • It doesn’t contain a noindex robots meta tag.

  • It doesn’t have on-host outlinks to HTTP URLs.

  • The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL

  • The server has a valid TLS certificate.

(Source: Google Webmaster Blog)

If your HTTPS pages meet these requirements, Google will choose to index them over HTTP versions. But some of them may be pretty tough to meet.

Take the first rule, the one with “insecure dependencies.” That means everything on your site—images, videos, embedded content—must be secure. If they aren’t, no high-priority index for you.

The solution: Redirect your HTTP site to your HTTPS version. You can also add an HSTS header on your server, which lets your server ensure HTTPS-only browser interactions.

A green padlock with the term

How the People Have Responded

Website owners, webmasters, and SEO experts have mostly expressed support over the news that Google would index HTTPS pages. And it makes sense. From a user experience perspective, the enhanced security of HTTPS is an obvious draw for Google. They want users to be safe while they surf, and Google is willing to do whatever it takes to provide users with that peace of mind. Even if it means making the requirements a little tough. Considering Google will be supporting HTTP/2 soon, this gives webmasters even more incentive to go with HTTPS.

Some commenters expressed dismay that their Blogger pages (which are owned by Google) didn’t support custom HTTPS domains yet. One astute user even commented that the blog itself redirected to an HTTP version, not HTTPS. Google’s John Mueller was quick to respond, stating that the Blogger team was “working on that.” Since the post, it looks like the blog now redirects to the HTTPS version correctly.

What do you think? Is Google right to move so strongly in the direction of HTTPS? Or do you have questions on what this means for your website?