Does HTTPS actually matter for AI search? Our HTTP site isn't getting cited

Carlos, HTTPS is essentially a hard requirement for AI search visibility. Here’s why:

The trust hierarchy:

Why AI systems care:

AI systems don’t just rank pages - they synthesize information and present it as answers. They need to trust that:

1. The data wasn’t tampered with in transit
2. The source is who they claim to be
3. The site is actively maintained

HTTP sites fail on all three counts.

Your situation:

An HTTP site in 2025 signals:

• Outdated infrastructure
• Potential security risk
• Lack of maintenance
• Possible domain issues

AI systems see this and think: “Why would we cite an unmaintained source?”

Let me explain how AI systems evaluate HTTPS:

Pre-content evaluation:

Before an AI crawler even looks at your content, it checks:

Request site
    ↓
HTTPS check ← You fail here
    ↓
SSL certificate validation
    ↓
Content extraction
    ↓
Quality evaluation
    ↓
Potential citation

If you fail the HTTPS check, the process stops.

Platform-specific behavior:

The exception:

Major legacy domains with massive authority (Wikipedia, some government sites) may still get cited. But these have decades of trust built up.

For everyone else: HTTP = invisible to AI search.

Migration guide for HTTPS (for AI visibility):

Phase 1: SSL Certificate

Options:

• Let’s Encrypt - Free, 90-day validity, auto-renewal
• Commercial CA - Paid, longer validity, extended validation
• CDN-provided - Cloudflare, AWS, etc.

For AI visibility, any valid certificate works. AI systems don’t distinguish between certificate types.

Phase 2: Site-wide HTTPS

1. Update all internal links to HTTPS
2. Set up 301 redirects from HTTP
3. Update canonical tags
4. Fix mixed content issues

Phase 3: Advanced trust signals

# HSTS Header
Strict-Transport-Security: max-age=31536000; includeSubDomains

HSTS tells AI crawlers you’re committed to HTTPS security.

Phase 4: Verification

• Check SSL Labs score (aim for A+)
• Verify no mixed content warnings
• Confirm redirects work properly
• Monitor for certificate expiration

Pro tip: Set calendar reminders 30 days before certificate expiration. Expired certificates are worse than no HTTPS.

Our migration case study:

Before (HTTP):

• 2,500 indexed pages
• Google rankings: decent (avg position 4.2)
• AI citations: 0
• Traffic from AI referrals: 0

Migration process:

• Took 2 weeks (we’re a small team)
• Used Let’s Encrypt
• Cloudflare for CDN and additional SSL

After (HTTPS) - 90 days:

• Google rankings: slight improvement
• AI citations: 23 detected
• Traffic from AI referrals: 847 visitors

The numbers that matter:

The migration was more than worth it. AI-referred visitors actually convert better than organic search for us.

For YMYL (Your Money or Your Life) content, HTTPS is absolutely non-negotiable.

Why YMYL is stricter:

AI systems are extremely careful about health, finance, legal, and safety content. Wrong information can harm users.

Trust requirements for YMYL:

Our experience (health publisher):

Before HTTPS: Zero AI citations, despite excellent content After HTTPS: AI citations started within 6 weeks

For YMYL topics, HTTP isn’t just a disadvantage - it’s a complete disqualifier.

Common HTTPS mistakes that hurt AI visibility:

Mistake 1: Mixed content

• HTTPS page loads HTTP resources (images, scripts)
• AI crawlers see this as incomplete migration
• Fix: Audit all resources, update to HTTPS

Mistake 2: Broken certificate chains

• Intermediate certificates missing
• AI crawlers fail validation
• Fix: Include full certificate chain

Mistake 3: Inconsistent subdomains

• Main site HTTPS, blog still HTTP
• AI crawlers confused by mixed signals
• Fix: HTTPS across all subdomains

Mistake 4: Self-signed certificates

• Not issued by trusted CA
• AI systems may treat as suspicious
• Fix: Use recognized CA (Let’s Encrypt is fine)

Mistake 5: Certificate expiration

• Most common issue
• Immediate loss of AI trust
• Fix: Automated renewal, monitoring alerts

Test your setup:

• SSL Labs: ssllabs.com/ssltest
• Why No Padlock: whynopadlock.com
• CSP Evaluator for mixed content

E-commerce perspective on HTTPS and AI:

The double impact:

1. Customer trust - 84% won’t buy without padlock
2. AI visibility - Products won’t be recommended

We tracked product recommendations:

Before HTTPS migration:

• ChatGPT recommendations: 0
• Perplexity product mentions: 0
• Google Shopping AI features: Limited

After HTTPS (6 months):

• ChatGPT recommendations: 12 products cited
• Perplexity product mentions: 8
• Google Shopping AI: Full integration

Revenue impact:

AI-driven product discovery now accounts for 3.2% of our sales. For an HTTP site, that would be 0%.

The business case:

HTTPS migration cost: ~$2,000 (agency, cleanup) Annual AI-attributed revenue: ~$180,000

No-brainer ROI.

This thread provided exactly what I needed. Here’s my summary and action plan:

The evidence:

1. HTTPS is effectively required for AI visibility
2. 99%+ of AI citations come from HTTPS sites
3. HTTP sites are filtered out before content is even evaluated
4. YMYL content has even stricter requirements

Business case metrics:

Migration plan:

Week 1:

• Obtain SSL certificate
• Configure server for HTTPS
• Set up redirects

Week 2:

• Fix mixed content issues
• Update internal links
• Implement HSTS

Week 3-4:

• Test extensively
• Monitor for issues
• Submit to search consoles

Week 5+:

• Monitor AI crawler access
• Track for first citations
• Report results to management

Thanks everyone. The combination of technical guidance and real-world case studies made this actionable.

HTTPS is not optional in 2025. For anyone still on HTTP - migrate now or stay invisible to AI search.