HTTPS Migration Checklist

David Ugale, Author
Written by David Ugale

If you’ve decided to migrate to HTTPS, you’ve probably already realized that it isn’t necessarily a straightforward process. For many, it can be a daunting task with a lot of small details that have the potential to cause problems down the road.

We’ve put together an HTTP to HTTPS migration checklist with a list of steps to help you through the process. We highly recommend that you set up a staging environment where you can complete and test each item before going live with the changes. If this isn’t possible, these updates would need to be carefully done directly on the live site.


Make a backup copy of your existing website, including all of the files and any databases that it uses. If at any point something goes wrong, you can always revert back to this version.


If you haven’t already set up a staging environment for your website, it is highly recommended that you do so. The staging environment should be an exact replica of your current production website where you can test all of your HTTPS migration tasks before moving to HTTPS and making them live.

The staging environment can either be on the same server or a different server from your live production website.

If setting up a staging environment isn’t possible, you’ll need to carefully make these updates on your live website.


  1. Install an SSL certificate for the staging domain name. Note: you can obtain a free SSL certificate from Let’s Encrypt, a nonprofit Certificate Authority.
  2. Redirect HTTP requests to HTTPS. If your staging environment uses Apache, you can update the .htaccess file to set up a rewrite rule that redirects all HTTP requests to HTTPS using a 301 status code.
  3. Update all absolute URLs to use HTTPS instead of HTTP. Relative URLs should work automatically once you switch to using HTTPS. Alternatively, you could update all absolute URLs so that they are relative URLs instead.
  4. Update canonical tags to use HTTPS instead of HTTP. If you use alternate or hreflang tags, make sure that those point to HTTPS as well.
  5. Update the robots.txt file, if necessary. Make sure that any changes that you make don’t block any pages.
  6. If you use a CDN (Content Delivery Network), change the CDN URLs to use HTTPS instead of HTTP. Confirm that the new CDN links are working correctly.
  7. Check JavaScript code for any calls to HTTP URLs and update them to HTTPS.
  8. Check CSS files for any calls to HTTP URLs and update them to HTTPS.
  9. Crawl the staging environment website to get a current snapshot of your website and to identify any issues that need to be fixed. You can use a tool like Screaming Frog SEO Spider to generate some useful reports.
  10. Fix any pages that have insecure (mixed) content so that all of the images and internal URLs are served over HTTPS. Screaming Frog can output a report that lists all of the pages that have insecure (mixed) content.
  11. Fix internal redirects to remove any redirect chains. If you have any pages that redirect to another page on your website, update those links to go to the final destination URL instead. These redirect chains are unnecessary and will slow down your website, potentially hurt your search engine rankings.
  12. Fix any broken links on the staging environment.
  13. Other things to check that might need to be changed to HTTPS:
    • Image, video, and audio files
    • Font files
    • Inline JavaScript and CSS that reference a URL
    • Download links
    • Payment gateways
    • External scripts
    • APIs
    • Open Graph
    • schemas
  14. Make sure that none of the pages that you want to have crawled are noindex.
  15. Re-crawl the staging environment website to find any remaining issues.
  16. Create a sitemap file. Using your existing sitemap file, create a new sitemap file that uses the new HTTPS URLs instead.


  1. Update Google Search Console. If you are using Google Search Console, add a new property for your HTTPS domain (example: Make sure to replicate the settings from your HTTP property, including the Geolocation and URLs Parameters settings.
  2. Update Bing Webmaster Tools. If you are using Bing Webmaster Tools, add a new site for your HTTPS domain (example:
  3. Begin monitoring the search engine traffic for your top pages. This will help you compare how your website is performing later. You should expect some ranking fluctuation after you make the switch to HTTPS.
  4. Compile a list of any 3rd party programs that need to be updated to HTTPS (i.e. newsletters, tracking scripts, ads, and PPC links).



  1. Make another backup copy of your live site, including all files and databases.
  2. Install an SSL certificate on the live site and confirm that it is working correctly.
  3. Update the live site. Publish the updates that you made on the staging environment to the live site to make it HTTPS.
  4. Double-Check the .htaccess File. If you use the Apache web server and have an .htaccess file, make sure that there are no HTTPS redirect rules that will cause issues with the website. Once you update the live site, this will allow the new URLs to work. Update the .htaccess file with any additional changes that you made on the staging environment.
  5. Check the live site. Verify that the live site version is working with the new HTTPS changes.
  6. Check the canonical tags. Verify that the canonical tags are correct.
  7. Check HTTP pages. Confirm that the HTTP version of your pages are redirecting to the new HTTPS version. You don’t want to have the HTTP version of your pages to be available as it may lead to duplicate content issues.
  8. Confirm that social sharing buttons are working correctly.
  9. Update the robots.txt File.
  10. Update any 3rd party programs (i.e. newsletters, tracking scripts, ads, and PPC links) to HTTPS.
  11. Update any auto-responder emails so that they use HTTPS URLs instead of HTTP.


  1. Crawl the live version of your website to identify any insecure (mixed) content or unwanted redirects.
  2. Update Google Analytics to use HTTPS instead of HTTP.
  3. Submit the new sitemap file. Upload and submit the new HTTPS sitemap for both the HTTP and HTTPS versions of your website to Google Search Console and Bing Webmaster Tools.
  4. Update any external links (i.e. social media like Facebook and Twitter) to your website so that they use the new HTTPS URLs.
  5. Update any email signatures that you use to use the new HTTPS URL.
  6. Continue to monitor search engine traffic for your top pages.
  7. Check for any errors in Google Search Console.
  8. Submit the Disavow Links file to Google Search Console for the new property, if necessary.
  9. Contact other website owners and affiliates that link to your website and notify them of your new HTTPS UR so that they can change it.
Originally published November 22nd, 2018, updated May 5th, 2022