To encrypt sensitive data that’s being sent across our website, in 2014 many web developers switch over to the now commonly used HTTPS. If you are one among so many developers who also think about switching, you can read this post which describes some useful tips based on our own experiences.
How Do I Switch?
When you decide to switch your website address, there are a few things that you need to take into account to ensure your website fully works, such as:
- Change all your internal links. This also includes updating links to assets. Make sure to go through your theme and alter references to CSS, images and JavaScript files. You can also change all your links to start with // instead of https:// which will result in protocol-relative URLs.
- Make sure that your CDN supports SSL as well. By using MaxCDN, you can easily set up SSL on your CDN subdomain.
- You can find various levels of SSL that you can choose from, each with their own pros and cons. You will find more information about that later on.
- Ensure you have a canonical link present in the section of your website to properly redirect all traffic coming in from http:// to https://.
Google also published a handy guide on how to move on HTTPS without massively impacting your ranking, which can be found here. Even though, moving from HTTP to HTTPS will slightly influence your ranking, but your rankings will actually improve over time.
Setting Up HTTPS & SSL on your Server
If you would like to run and manage your own web server, you have to enable a few things in your server configuration before being able to use SSL certificates. In the tutorial below, you can discover what steps to take to get a certificate running on your server.
- OCSP Stapling
When you check the validity of an SSL certificate, there is a high risk that your loading speed may get a small hit. Therefore, to avoid this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it checks the validity of the certificate based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.
- Apache
Please check that you’re running version 2.3.3+ of Apache by running the command apache2 –v (or httpd –v) on your server. Lower versions of Apache do not support this feature.
If you want to setting up HTTPS on your server, then you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.
In that file, take the following steps:
- Inside the section, you should add SSLUseStapling on.
- Just above the section, add SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
- Check that the configuration is still valid by running apachectl -t. If so, reload Apache by running service apache2 reload.
- Nginx
Nginx also supports OCSP stapling. Therefore, you need to check that you’re running version 1.3.7+ of Nginx by running the command nginx –v on your server before editing the server configuration. Lower versions of Nginx do not support this feature.
If you want to setting up HTTPS on your server, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.
In that file, add the following lines in the server {}section:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
The last file which contains a list of trusted CA certificates is used to verify client certificates when using OCSP.
After adding these lines to the file, check that the configuration is still valid by running service nginx configtest . If so, reload Nginx by running service nginx reload.
Strict Transport Security Header
Another handy feature that basically enforces browsers to use the HTTPS request instead of the HTTP equivalent is the Strict Transport Security Header (HSTS). Enabling this feature is relatively painless.
Apache
First of all, you need to enable the Apache Headers module by running a2enmod headers if you’re running Apache. After this, it’s only a matter of adding the following line to your VirtualHost configuration that you set up earlier for HTTPS:
Header always set Strict-Transport-Security “max-age=31536000; include SubDomains” Nginx Nginx requires you to add the following line in the server {} section of your server configuration file: add_header Strict-Transport-Security max-age=31536000;
Testing
To know whether your SSL certificate is working properly or not, you can head over to SSL Labs. Then, fill in your domain name and see what kind of score you get.
Redirecting URLs
You need to add more lines to your configuration to ensure requests are properly redirected to the HTTPS URL. This way, traffic will automatically be redirected to HTTPS, once they try to visit over HTTP.
Apache
Add the following to ensure URLs get properly redirected in your default VirtualHost configuration:
RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Nginx
In Nginx, replace the default configuration file that was used for HTTP requests and alter it as such:
server { listen 80; server_name your-site.com www.your-site.com; return 301 https://your-site.com$request_uri;}
Before testing these changes, don’t forget to reload Nginx.
In Summary
Switch over from HTTP to HTTPS is a must, especially if you’re dealing with monetary transactions. HTTPS will ensure that your private information stays secure. However, you need to conduct a proper research beforehand to know what type of certificate you end up going with.