HTTP to HTTPS Migration: Step-by-Step Guide
HTTPS migration does more than secure your site: it protects your SEO rankings, removes the browser's "Not secure" warning and builds visitor trust. This guide pulls the whole process together end to end, from getting a certificate to final verification, and finishes with a ready-to-use checklist. Since the deeper details live in our other articles, here we focus on the overall flow.
1. Get and install an SSL certificate
Everything starts with the certificate. You can grab our free 90-day Let's Encrypt DV certificate in minutes, no account required. Our free SSL wizard hands you a single ZIP containing the CRT, KEY, CA Bundle, fullchain and PFX files.
Upload the right files for your panel (cPanel, Plesk, IIS): usually the certificate (CRT), the private key (KEY) and the chain (CA Bundle). On IIS, the single PFX file carries everything.
2. Switch all internal links and assets to https
Update internal links plus image, CSS and JavaScript paths to https://. The most robust approach is absolute https paths, not protocol-relative ones. On a CMS like WordPress, set the site address to https in the dashboard and do a bulk find-and-replace of leftover http:// references in the database.
3. 301 redirect from HTTP to HTTPS
Permanently move all http traffic to the https version. A 301 permanent redirect sends both visitors and search engines to the new address and preserves the ranking value of your old URLs.
For Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]For Nginx:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}4. Clean up mixed content
If a page loads over https but one of its resources is still called over http, the browser shows a mixed content warning and the padlock breaks. Scan the warnings in your browser's developer console and switch every remaining http:// resource to https. With mixed content https is mandatory; resources that fail to load (especially scripts) are blocked by the browser.
5. Add HSTS last
The HSTS (HTTP Strict Transport Security) header tells the browser to always open your site over https. Because it is such a strong protection, it should be the final step: add it only after redirects and mixed content work flawlessly.
Strict-Transport-Security: max-age=31536000; includeSubDomainsTest first with a short max-age, then raise it once everything checks out.
6. HTTPS property and sitemap in Search Console
In Google Search Console the https:// version counts as a separate property. Add and verify the new https property, then resubmit your sitemap (now containing https URLs). Keep monitoring the old http property too, so you can confirm the 301s are being processed.
7. Canonical, analytics and ad tags
Update your rel="canonical" tags to the https version. Set the site address in Google Analytics, Tag Manager, ad networks and social pixels to https as well, so measurement and conversion tracking don't break.
8. Verification
Check your certificate chain with an SSL test tool, confirm the padlock in the browser, and visit a few old http URLs to confirm the 301s land on https.
Migration checklist
- Certificate: SSL certificate obtained and installed on the server.
- Internal links: all link and asset paths set to
https. - 301: HTTP→HTTPS permanent redirect active (including www).
- Mixed content: no console warnings left, padlock intact.
- HSTS: header added last, while everything works cleanly.
- Search Console: https property added, sitemap resubmitted.
- Canonical & tags: canonical, analytics, ad and pixel addresses on https.
- Verification: SSL test passed, 301s and padlock verified.
Summary
HTTPS migration is a planned move in which the certificate, redirect, mixed content and HSTS steps are done in the right order. The first and most important step is the certificate. Grab your 90-day certificate from our free SSL wizard and work the checklist top to bottom. An email reminder will also warn you before it expires.