Migrating from HTTP to HTTPS: A Complete Step-by-Step Guide
Migrating from HTTP to HTTPS is one of the most impactful improvements you can make for security, SEO, and user trust. Google has used HTTPS as a ranking signal since 2014, and as of 2026, all major browsers mark non-HTTPS sites as "Not Secure." This guide walks you through the complete migration process — from obtaining your certificate to configuring HSTS and monitoring the transition.
Before You Start: Pre-Migration Checklist
Step 1: Obtain an SSL Certificate
Choose your certificate based on your needs:
| Option | Cost | Best For |
|---|---|---|
| Let's Encrypt (Certbot) | Free | Most sites — fully automated |
| Hosting provider SSL | Free–$10/yr | Shared hosting, easy setup |
| Cloudflare Universal SSL | Free | Sites behind Cloudflare |
| DigiCert / Sectigo DV | $50–$200/yr | Commercial sites needing OV/EV |
See our guide on automating SSL renewal for detailed Certbot setup instructions.
Step 2: Install and Configure HTTPS on Your Server
# Nginx — basic HTTPS server block
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Modern SSL settings (TLS 1.2+)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
# HSTS (add after testing - see Step 5)
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /var/www/html;
index index.html;
}Step 3: Set Up 301 Redirects (HTTP → HTTPS)
301 redirects tell search engines permanently that your content has moved to HTTPS. This transfers your SEO link equity. Do not use 302 (temporary) redirects — they do not pass link equity.
# Nginx redirect (add as a separate server block)
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://yourdomain.com$request_uri;
}
# Apache (.htaccess)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Also redirect www to non-www (or vice versa) to avoid duplicate content. Pick one canonical form and redirect the other.
Step 4: Fix Internal Links and Mixed Content
Update all internal links, image sources, script tags, and stylesheet links from http:// to https://. See our guide on fixing mixed content warnings for complete instructions.
Step 5: Implement HSTS
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain — even if the user types http://. This prevents SSL-stripping attacks and eliminates the single HTTP redirect your users make on first visit.
⚠️ Start with a short max-age
Start with max-age=300 (5 minutes) and test thoroughly. Once confident, increase to max-age=31536000 (1 year). A misconfigured HSTS header can lock users out of your site if you revert to HTTP.
# Start with short max-age for testing Strict-Transport-Security: max-age=300 # Production (after testing) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Step 6: Update Google Search Console and Analytics
Google Search Console
Add your HTTPS site as a new property. Set it as the preferred domain. Submit your updated HTTPS sitemap.
Google Analytics
Update the default URL in property settings to https://. Update any cross-domain tracking configurations.
XML Sitemap
Update all URLs in your sitemap.xml to use https://. Resubmit to all search engines.
Canonical Tags
Update all <link rel="canonical"> tags to use https:// URLs.
Social Media
Update profile links, Open Graph tags, and any hardcoded HTTP URLs in social media profiles.
Post-Migration: What to Monitor
Monitor your HTTPS migration automatically
CertNotify verifies SSL validity, checks redirect chains, and alerts you before your certificate expires — ensuring your HTTPS migration stays healthy long-term.
Start monitoring free →