Guides/HTTPS Migration SEO: A Pre- and Post-Migration Checklist
Guide

HTTPS Migration for SEO: The Crawl-Verified Checklist

HTTPS is a lightweight ranking signal, but a botched HTTP-to-HTTPS migration costs far more than it earns. Every HTTP URL needs one 301 hop to its exact HTTPS equivalent, no mixed content, HTTPS canonicals, and HSTS only after redirects prove out.

An HTTP-to-HTTPS migration has 5 failure points that decide whether it's invisible to rankings or costly: incomplete redirects, redirect chains, mixed content, stale HTTP canonicals, and HSTS deployed too early. HTTPS itself is a confirmed but lightweight ranking signal — Google announced it in 2014 and the handbook records it as affecting historically under 1% of queries. The signal is small; the downside of a broken migration is not. Getting the mechanics wrong can leave Google preferring the insecure URLs or dropping pages from the index entirely.

The good news is that every one of these failure points is a crawl-observable fact. A crawl before and after the switch tells you exactly which URLs still serve HTTP, which redirects chain, and which pages contradict themselves. This guide frames the migration as a checklist Crawlinx verifies.

Before you switch: prep

Three things must be true before you flip a single URL to HTTPS.

A full URL inventory. You cannot redirect what you have not listed. Pull every indexable URL from your sitemaps, server logs, and a fresh crawl, so you have a complete map of what needs a redirect target. Missing URLs are the most common cause of orphaned HTTP pages after launch.

A valid TLS certificate. The certificate must cover every hostname you serve — apex, www, and any subdomains — and be installed correctly with its full chain. A broken or mismatched certificate triggers a browser interstitial that stops most users before they see the page, and it can block Googlebot from fetching the HTTPS version at all.

A staging test. Verify the certificate, the redirect rules, and the rendered pages on staging before production. Confirm that staging is not itself crawlable or indexable — a leaked staging host creates duplicate-content problems of its own.

Redirect mapping: one 301, one hop

Every HTTP URL must redirect to its exact HTTPS equivalent with a single permanent redirect. The handbook is explicit: 301 (or its HTTP/2 equivalent 308) passes the strong permanent canonical signal to the target; 302/307 are temporary and do not consolidate the source's signals, which can leave the old HTTP URL competing in the index. Use 301/308, never 302, for a migration.

"Exact equivalent" is load-bearing. http://example.com/pricing redirects to https://example.com/pricing — same path, same host, same query. Do not funnel every HTTP URL to the HTTPS homepage; the handbook notes that redirecting all traffic to the homepage is usually reclassified as a soft 404.

The subtler trap is the redirect chain. A chain forms when the HTTP redirect and a host-normalization redirect fire in sequence — for example http://example.com/pricinghttps://example.com/pricinghttps://www.example.com/pricing. That is two hops where one would do. Collapse it: send the HTTP URL straight to the final canonical host in a single hop (http://example.com/pricinghttps://www.example.com/pricing). Google follows at most 10 redirect hops per crawl attempt, but well before that ceiling each extra hop dilutes the signal and wastes crawl budget. The mechanics of collapsing chains are covered in the redirect chains and loops guide. Crawlinx flags an HTTP URL that fails to redirect to HTTPS as security.no_https_redirect and multi-hop chains as redirect.chain.

Mixed content: no HTTP sub-resources on HTTPS pages

Mixed content is an HTTPS page that loads an image, script, or stylesheet over plain HTTP. Browsers block active mixed content like scripts outright and warn on passive resources, so a blocked script can strip functionality or content from the rendered DOM that Google indexes. It also undermines the secure context, defeating the point of the migration.

The fix is mechanical: rewrite every internal asset reference to absolute HTTPS. If you previously used protocol-relative URLs (//cdn.example.com/app.js), convert them to explicit https:// — protocol-relative URLs are a legacy pattern that no longer serves a purpose once the whole site is HTTPS. Audit templates, hardcoded links in content, and third-party embeds. Crawlinx flags an HTTPS page loading insecure HTTP resources as security.mixed_content. Mixed content is also covered in the security headers guide.

Canonical and hreflang drift

A migration is only half done if the pages still point at HTTP internally. Every rel="canonical" tag and every hreflang URL must be updated to the HTTPS version. A stale HTTP canonical on an HTTPS page is a contradictory signal: the page is served over HTTPS but tells Google the representative URL is the HTTP one. The handbook warns that HTTPS-to-HTTP canonicals can make Google prefer the insecure version — the opposite of what the migration is for.

Update canonicals to be self-referencing and absolute over HTTPS, and update the full hreflang cluster so every alternate points at an HTTPS URL. Because a canonical is a hint Google can override, a contradictory HTTP canonical competing against the HTTPS redirect muddies the signal. Crawlinx flags pages missing or needing a canonical after migration as canonical.missing.

HSTS: last, not first

Strict-Transport-Security (HSTS) tells the browser to refuse HTTP connections to your domain for the entire max-age window, closing the brief gap on a first bare-domain visit before your 301 fires. It is a hardening step, not a ranking factor.

Deploy it only after HTTPS is fully live and the redirects are proven working. Setting HSTS mid-migration locks users out of any HTTP page that is still reachable for the whole max-age period, with no way to back out until the header expires. The sequence is: redirects working, mixed content cleared, canonicals updated, then HSTS. The header details live in the security headers guide.

Keep the HTTP redirects live indefinitely

Do not remove the HTTP-to-HTTPS redirects after launch. Old links, bookmarks, and backlinks pointing at HTTP URLs will keep arriving for years, and Google recrawls old URLs long after a migration. If the redirects disappear, those requests fail and the link equity they carried is lost. Treat the redirect rules as permanent infrastructure.

How Crawlinx verifies an HTTPS migration

Crawlinx runs the migration as a checklist against live crawl data. It records the response for every URL and flags an HTTP URL that does not redirect to HTTPS (security.no_https_redirect) and any HTTP-to-HTTPS path that produces a multi-hop chain instead of a single 301 (redirect.chain). It inspects the rendered page for sub-resources loaded over HTTP and flags them as mixed content (security.mixed_content). It checks that each page carries a canonical, flagging missing or stale ones as canonical.missing so you can confirm every canonical resolves to an HTTPS URL. Run a crawl before the switch to build the inventory and one after to confirm the four checks pass together — that is the post-migration crawl. See where these sit in the full technical SEO audit checklist.

Takeaway

HTTPS is a small ranking signal, so migrate for correctness, not for a boost. Inventory every URL and install a valid certificate before you start; redirect each HTTP URL to its exact HTTPS equivalent with a single 301, never a 302 and never a chain; clear all mixed content; update every canonical and hreflang to HTTPS; add HSTS only after the redirects prove out; and keep the HTTP redirects live indefinitely. Verify all of it with a post-migration crawl before you call the move done.

Related
Security Headers and SEO: HTTPS, HSTS, CSP HTTP Status Codes for SEO: 2xx, 3xx, 4xx and 5xx Explained Redirect Chains and Loops: SEO Impact and How to Fix Them Technical SEO Audit Checklist security.mixed_content security.no_https_redirect redirect.chain canonical.missing

Audit your own site — free

77 checks, internal PageRank, render-diff. No signup, results in ~30s.

Scan your site →