Internal HTTP URLs
This means that the URL in question is loaded over an insecure HTTP connection.
Why is this important?
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.
HTTPS has long been the standard, and the move towards a more secure internet has been pushed in particular by Google's Chrome browser, encouraging website owners to move to HTTPS by showing 'Not secure' messages to browser users on HTTP pages. As such, the issue becomes about user trust and user experience, in addition to security.
If a website has not yet implemented HTTPS, then this should be one of your first recommendations. Whilst Chrome is not the only browser, it attracts roughly 50% market share, so it is extremely important to most websites, and it is pushing the agenda further through 2020 with a number of updates to block websites that serve insecure content.
What does the Hint check?
This Hint will trigger for any internal HTML URL which uses the HTTP protocol and returns a 200 status.
Examples that trigger this Hint
Consider a website audit with start URL https://example.com OR http://example.com
Then the URL: http://example.com/page-a would trigger the Hint, so long as this URL returned a HTTP status 200 (OK).
How do you resolve this issue?
This Hint is marked 'Critical' as it represents a fundamentally breaking issue, which may have a serious adverse impact upon traffic, conversion or user experience.
If the website in question has not yet moved over to HTTPS at all, then a HTTP -> HTTPS migration is a matter of high priority.
If the website in question has already moved over to HTTPS, but still has some HTTP URLs that resolve a 200 status, this is also an important issue to fix.
The resolution has two stages:
- Set blanket redirect rules for HTTP -> HTTPS at a server level.
- Update all links that point at HTTP URLs to instead point at the HTTPS equivalent.