Enforce HTTPS

You can enable the Enforce HTTPS setting to redirect incoming page requests that use HTTP to HTTPS. You can configure the setting per site or for all sites of an instance. When you enable Enforce HTTPS globally, you can't configure it at the site level. If you disable the global preference, the site-specific settings return to their previous values.

When you enable Enforce HTTPS as a global preference, HTTP requests to OCAPI's session bridge aren't accepted. Also, secure session cookies are used instead of a combination of session cookies and secure tokens to avoid incorrect (false positive) session hijacking detections. Enabling Enforce HTTPS on a per site basis does not result in these behaviors.

When Enforce HTTPS is enabled for a site (either at the global or site level), URL generation for that site always uses HTTPS. Hard-coded and absolute URLs are unaffected, so if you enable the setting for a site where the setting was previously disabled, make sure that you change hard-coded or absolute URLs in your HTML appropriately. You don't have to make changes related to the URLUtils method. URLUtils.http generates URLs with the HTTPS protocol.

Benefits of Enabling Enforce HTTPS

HTTPS prevents intruders from passively listening to communications between your website and your users. Other reasons to enforce HTTPS include:

Online Impact

After you enforce HTTPS, initially you could experience a drop in organic search traffic. According to Google, fluctuations in organic search traffic can occur with any significant site change. Your page rank, or link juice, however, isn't negatively affected by HTTP to HTTPS redirects. According to Google, during 301 or 302 redirects from HTTP to HTTPS, no page ranking is lost.

Search keywords in Google Analytics don't change with HTTPS. You can still see the search queries in the Google Search Console.

To view how many HTTPS pages were indexed by Google, you can verify HTTP and HTTPS separately in the Google Search Console. You can also use Index Status for a broad look or check the sitemaps indexed counts for sitemap URLs.

The timing of the change from HTTP to HTTPS within the Google index depends on the size of your site and the speed of crawling. Moving from HTTP to HTTPS URLs in Google's search index takes place on a per-URL basis. Google doesn't provide fixed-crawl frequency data.

robots.txt File

HTTPS sites use a robots.txt file, so when you enable Enforce HTTPS, confirm the following.