Does Google really require HTTPS to index your website?

Does Google really index HTTP sites without any issues?

The answer is yes. Martin Splitt confirms it: indexation works just as well on HTTP as on HTTPS. There is no technical barrier preventing Googlebot from crawling and indexing an unsecured page.

But be careful — indexing is not the same as ranking well. The HTTPS signal has been a ranking factor since 2014, albeit a light one, but it does exist. An HTTP site can therefore appear in the index without benefiting from all the advantages in terms of positioning.

Why does Google maintain this distinction between "recommended" and "mandatory"?

Because a significant portion of the global web still runs on HTTP. Blocking indexation outright would mean removing billions of pages at once. Google prefers to encourage gradually rather than apply a brutal rule.

The approach is pragmatic: keep access to the index open, but degrade user experience and trust signals to push migration. It's a form of algorithmic nudge.

• HTTPS is not a technical prerequisite for Googlebot to crawl and index your pages
• The secure protocol remains a ranking signal, even though it's weak compared to other criteria
• Chrome displays a "Not secure" warning on HTTP sites, which impacts bounce rate and user trust
• Some modern features (service workers, geolocation, push notifications) require HTTPS

What's the difference between indexation and overall SEO performance?

A site can be perfectly indexed on HTTP and yet underperform due to other indirect signals. Users see the "Not secure" alert in Chrome, bounce faster, which sends negative behavioral signals to Google.

Additionally, HTTPS sites benefit from advanced technical features and better compatibility with modern APIs. Failing to migrate means depriving yourself of an entire ecosystem of possible optimizations.

Is this statement consistent with what we observe in the field?

Absolutely. We regularly see HTTP sites ranked well on low-competitive keywords or in old niche sectors. Google has never deindexed them. However, once you move into competitive sectors — e-commerce, finance, healthcare — HTTPS becomes an implicit standard.

Martin Splitt's statement is therefore technically correct, but it obscures a reality: the absence of HTTPS can become a cumulative handicap when you aggregate all micro-signals.

In what cases can this rule be problematic?

Let's be honest: an HTTP site in today's context sends a signal of technical negligence. Browsers display it as "Not secure", users are wary, conversions drop.

And that's where it gets tricky. Even if Google indexes it, you lose on all other fronts: user trust, compatibility with modern APIs, behavioral signals. The fact that it's not "mandatory" doesn't mean it's optional in practice.

Should HTTPS really be considered a weak ranking factor?

The direct signal is indeed light — Google has confirmed this several times. But the indirect effects are massive. An HTTP site loses credibility, loses click-through rate (CTR) from SERPs if users see the URL in plain text, and loses engagement once on the page.

So yes, the raw algorithmic weight is light. But the real impact on overall performance is much greater than it appears. [To be verified]: no public data precisely quantifies this performance delta, but field observations all converge in the same direction.

What should you do concretely if your site is still on HTTP?

Migrate to HTTPS as soon as possible. Even if indexation isn't blocked, you're losing on too many fronts to stay on HTTP. The migration has become simple and accessible — Let's Encrypt offers free SSL certificates.

Plan the transition in several stages: obtain the certificate, configure permanent 301 redirects from HTTP to HTTPS, update internal URLs, modify sitemaps, and verify Search Console.

What mistakes should you avoid when migrating to HTTPS?

The most common one: forgetting 301 redirects. If you enable HTTPS without redirecting the old HTTP, you create duplicate content and fragment your ranking signals between two versions.

Another classic pitfall: mixed content. Your pages are on HTTPS, but some resources (images, scripts, CSS) are still being loaded over HTTP. Result: the security padlock doesn't display, and Chrome shows a warning.

• Obtain a valid SSL certificate (Let's Encrypt, commercial provider, etc.)
• Configure permanent 301 redirects from all HTTP URLs to HTTPS
• Update internal URLs (links, images, scripts) to use relative paths or HTTPS
• Modify the XML sitemap to point to HTTPS URLs
• Update the Search Console property to include the HTTPS version
• Check for mixed content absence with Chrome DevTools
• Enable HSTS (HTTP Strict Transport Security) to prevent downgrade attacks
• Monitor for 404 errors or redirect loops post-migration

How do you verify that the migration is properly taken into account?

Use Search Console to track the evolution of HTTPS version indexation. Verify that the number of indexed pages stabilizes and that old HTTP URLs gradually disappear from the index.

Also check your server logs to ensure Googlebot is crawling the HTTPS version as a priority. If you still see many HTTP requests, your redirects may not be properly configured.