Even absolute URLs will not prevent this from happening on a domain that supports HTTPS but also has HTTP pages on it. All it takes is for another site to link to an HTTP only page with HTTPS, and if the server returns a 200 then that page can get indexed with HTTPS. This is another form of URL canonicalization and as such, should be solved using 301 redirects.
You should know exactly which pages on your domain should be accessed via HTTPS. If you thought ahead, you would have all of those HTTPS pages isolated to one or more folders. This will make your job easier. But if not then it is still doable.
If someone requests a URL with HTTPS that should be accessed with HTTP only, your server should 301 redirect the request to the HTTP version of the URL.
Similarly, if someone requests a URL with HTTP that should be accessed only with HTTPS, your server should 301 redirect the request to the HTTPS version of the URL. |
