HTTPS is one of the simplest security measures you can implement and is often the first step towards a more secure website. However, as we discovered when we analysed over 900 Swedish online stores, HTTPS is often ignored. To provide your site’s visitors a secure connection, follow our HTTPS guide and learn how to enable forced HTTPS and HSTS.
If you are proxying your traffic through an external provider such as Cloudflare, you can configure HTTPS there. This is most often the easiest and cheapest solution. However, the downside is that the traffic is not encrypted the whole way between the server and the visitor, making it possible for the provider to read it.
The traditional approach
The more traditional approach to HTTPS is to buy a certificate from a well-known provider. A guide using this method can be found here. The advantages here is mainly that this is the way it has always previously worked, so it is the most compatible way of doing it.
If you are using Let’s Encrypt, a certificate that can be installed is used, similar to the traditional approach described above. The main difference here is that the process is automated and therefore also free. In most cases, this option has very few downsides compared with the traditional approach, but it might not be compatible with older solutions. Read our guide for more information on configuring HTTPS with Let’s Encrypt.
What to choose?
The first option is to go with the External Provider solution when that is possible. This is by far the easiest solution as it does not require any configuration server side. A free alternative to the external provider option is Let’s Encrypt. Finally, if you cannot use Let’s Encrypt, you can use the traditional HTTPS configuration process.
A certificate can be used for a single domain or multiple domains, which works well if the site only needs to support
However, sometimes there is a need for a wildcard certificate. This makes it possible to generate a certificate valid for
and could, for example, be used on a blog platform that allows users to create their own blogs under a specific domain. If you are using solution where the certificate is paid for, the wildcard solution is much more expensive.
The above scenario, with multiple domains or subdomains served from the same server (the blog platform in the example), could also use SNI to host a separate certificate for each domain. The article about SNI on Wikipedia explains this well.
Implementing HTTPS is of no use if regular visitors are not using it. Even though the server supports HTTPS, users will often unknowingly try to access it over HTTP. This is partly due to how today’s web browsers work, but the user might also click on a link where HTTP is specified. The solution is called Forced HTTPS, where users are directly redirected to HTTPS if they try to access the site over HTTP. Such requests should be 301 redirect requests made server-side.
Even when using Forced HTTPS, there are situations where a user tries to connect over HTTP (which is followed by a redirect). A malicious attacker could take advantage of this and instead of this redirect keep the user on the unencrypted site.
To prevent this, there is a rule called HSTS. In short, it is a text record that is saved on the client’s computer upon visiting a website that contains a time limit. After a page has been loaded over HTTPS while also sending an HSTS header, it cannot be visited again unencrypted before that time limit is over. The time limit is specified in seconds, and is reset for every new request.
If you are just getting started with HTTPS, it is recommended to set the time limit very low, e. g. a day to ensure it is accessible even if something goes wrong with the configuration.
Mixed content is something that affects a lot of pages when they are new to HTTPS. You can read more about mixed content on our support pages. To limit the problems we would recommend to fully configure HTTPS first and then moving on and enabling HSTS or looking into Force HTTP.
As SSL can have an impact on SEO, implementing it can be part of your long-term SEO strategy, so it can be a good idea to coordinate the switch to HTTPS together with your marketing team.
HTTPS certificates do expire, and if they are not renewed, the domain is no longer accessible. Another tip is looking through your robots.txt file as that often contains things that really should not be there.
How Detectify can help
Detectify is a web security scanner that performs fully automated tests to identify security issues on your website. A Detectify scan tests your website for over 700 vulnerabilities, including missing HTTPS and mixed content. Sign up for a free trial and check your site’s security »
Author: Linus Särud, Security Researcher