Back in 2014, Google started to consider making the use of a secure connection (HTTPS) a parameter in their search algorithm. It began with just a 1% weight over all the other factors, but they pushed it further and further; and now, in 2018, every professional website must be served through a secure connection to avoid ranking penalties.
There are several good reasons to switch to HTTPS and not only for a big website with a lot of sensitive data. Think for example about the WordPress login page; If you aren’t on HTTPS, your username and password are sent in clear text over the internet. You don't need to be a professional hacker to sniff and capture WordPress login data; if you are on an insecure connection, there are a lot of tools around that can easily do the job. Moreover, running on HTTP prevents the use of some nice APIs like geolocalization or push notifications.
Switching to HTTPS brings many advantages but it has also caused more than just a headache in the world of SEO. Technically speaking, the switch involves routing your site through a series of 301 redirects; this causes a certain loss of link equity which may lead to a ranking penalty.
The major problem that the HTTPS switch brings on is the loss of referral data. When one site sends data to another, the HTTP header field referer lets us know the URL of the page that linked to the page the user is on, and this data allows us to see where the traffic is coming from. But when traffic flows from an HTTPS site to an HTTP site, no referral data is sent and the traffic is reported as direct: this helps fighting referral spam but can also be a major problem for accurate SEO.
The referral problem is not an unsolvable one; a new meta tag called "referrer" helps us understand how the traffic flows on the web once again. The tag must be placed in the HEAD section (like all meta tags) and allows you to control how your referrer information is passed. As it often happens for recent specifications, an early version was implemented by major browser vendors and now there are two different supported syntaxes. The possible values are:
<meta name="referrer" content="no-referrer">
<meta name="referrer" content="none">
Never pass any referral data from your site.
<meta name="referrer" content="no-referrer-when-downgrade">
<meta name="referrer" content="none-when-downgrade">
Send referrer information to secure HTTPS sites, but not to HTTP sites.
<meta name="referrer" content="same-origin">
Using this tag will allow URL requests within your website's domain, but it denies cross-domain requests.
<meta name="referrer" content="strict-origin">
Will only send referral information from an HTTPS site to another HTTPS site. The referral data sent will include only your site’s domain or subdomain. Referrals to a non-HTTPS site will send no referral data.
<meta name="referrer" content="origin-when-crossorigin">
This tag will send the full URL of your referring page when linking within your site, but will only send the domain or subdomain when linking to external sites.
<meta name="referrer" content="strict-origin-when-crossorigin">
Using this tag will only send referral information from an HTTPS site to another HTTPS site. This tag will send the full URL of your referring page when linking within your site, but will only send the domain or subdomain when linking to external sites. Referrals to a non-HTTPS site will send no referral data.
<meta name="referrer" content="unsafe-url">
Always passes the URL string as a referrer. Note if you have any sensitive information contained in your URL, this isn't the safest option. By default, URL fragments, username, and password are automatically stripped off.
<meta name="referrer" content="">
If the referrer tag is left empty for a specific page or link, links will use a referrer policy defined elsewhere. If there is no policy defined, links will default to "no-referrer-when-downgrade".
The options above look really cool but before fancying all the possible uses for them, we need to talk about compatibility. Good old Internet Explorer is totally cut off: support comes with Edge only and, as for nearly all other major browsers, it is still limited to the old specification. The full property list is supported only by the most recent versions of Chrome, Firefox and Opera.
Once you decide to make the switch and you have everything working as needed, don't think that your troubles are over; there are still a lot of items to be checked. Absolute paths require the https:// prefix (even in external CSS files), IE 8 is very picky and will trigger intimidating pop-ups even for the slightest error. You need to check your old robots.txt, and your ads must be SSL compliant as well. Venturing into the world of HTTPS without proper knowledge can be dangerous; instead of boosting your traffic you may harm it, but switching to a secure connection is a step that must be undertaken now. Malicious attacks have seen an alarming increase in frequency and even small websites, if unsecured, can be an attractive and easy target, however - with just a few changes, your site and your data can be much safer and far less of a target.