Moving Drupal website to HTTPS – securing your site for visitors while improving SEO

Technical:

• Buy and install a SSL certificate
• Backup database and files
• Try to change all absolute references to relative, or change all hard-coded “http://www.yoursite.com…”  into “https://www.yoursite.com…”
  (tip – if you wish to leave both “http” and “https” options but use absolute links just drop the protocol and link with “//www.yoursite.com”. This will adjust the protocol to the one used.)
  The best combination for doing this change is by using an editor to search and replace all the site’s files (mainly the theme’s files) and using a Search and Replace Scanner module for doing the same in the database. This module will not find all references but this is a good start. Check blocks and menu content for additional changes.
  * Pay attention not to replace just “http://” with “https://” since this will affect your outgoing links as well
  * If you’re migrating only part of your website use the entire path in the replace string
• Update base_url in settings.php (\sites\default) to “https” (this is not always there, Drupal 7 doesn’t have this setting).
• If installed, disable or update the settings for the “Secure Pages” module.
• Browse your site and check for warnings about insecure content. Fix references accordingly. There are online tools (Missing Padlock, HTTPS Checker, Why No Padlock?) that crawl your site for such warnings.
• If needed, configure a server referrer policy.
• Consider declaring a Content Security Policy

SEO:

• Set up a 301 permanent redirect to inform Google of the URL change by adding the code below at the top of Drupal’s .htaccess file:
  
  Apache

  # force https RewriteEngine on RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule (.*) https://www.yoursite.com%{REQUEST_URI} [R=301,L]

  1 2 3 4 5

  # force https RewriteEngine on RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule (.*) https://www.yoursite.com%{REQUEST_URI} [R=301,L]

  
  *Change www.yoursite.com above to your Drupal URL.
• Change the view settings in Google analytics from “http://” to “https://”.
• Add an annotation in Google analytics indicating the move to “https”. This will help you to compare traffic before and after.
• Ensure your HTTPS site version is added in Google Search Console and Bing
  Webmaster Tools. In Google Search Console, add both the www and non-www
  versions. Set your preferred domain under the HTTPS versions.
• Ensure canonical tags point to the HTTPS URL.
• Ensure your XML Sitemap includes the HTTPS URL.
• Main external links to your site (from social network etc.) should point to HTTPS.