Many websites have moved from HTTP to HTTPS because of the series of advantages and improvement in the security of website. However, full security cannot be guaranteed, until all the steps are completed.
This document is helpful for site operators like operation staff, software developers, DevOps, and managers who want to change their website communication protocol. Following are few steps to change website from HTTP to HTTPS-
Get certificate for your website hostname – Certificate of site’s hostname is necessary. For this purpose, go to sslmate.com to buy any of the certificates that suits your budget. There are two options in it-
- Standard-This costs $16 per year. Site domain name is represented as www.example.com. This option is chosen when there are only 1 or 2 subdomains.
- Wildcard-Hostname in wildcard costs $150 per year and is represented as *.example.com. This option is used when there are more than 5 subdomains.
Besides sslmate.com, there are other certificate vendors. For example, Namecheap provides hostname certificate at $9 per year for standard certificate and $94 per year for wildcard certificate.
Enable HTTPS on server– After buying the certificate, you need to copy it on your front-end server. Allow the website server to configure your bought certificate. Your website hostname and subdomains must use the right certificate for efficient and smooth workflow.
To check the HTTPS configuration on your website, you must run Qualys’ handy SSL Server Test.
Make Intra-Site URLs Relative– A website must run smoothly regardless of the protocol. But problem arises with the website content that either runs on HTTP or HTTPS. Browser displays a warning message or will not load or execute the content being displayed on two different protocols. This issues occurs when pages include fully qualified, intra-site URL i.e. http:// scheme.
Content can be replaced by making following changes in the website code i.e. from
<h1>Welcome To Example.com</h1>
<script src=”http://example.com/jquery.js”></script>
<link rel=”stylesheet” href=”http://assets.example.com/style.css”/>
<img src=”http://img.example.com/logo.png”/>
<p>Read this nice <a href=”http://example.com/2014/12/24/”>new post on cats!</a></p>
<p>Check out this <a href=”http://foo.com/”>other cool site.</a></p>
to
<h1>Welcome To Example.com</h1>
<script src=”//example.com/jquery.js”></script>
<link rel=”stylesheet” href=”//assets.example.com/style.css”/>
<img src=”//img.example.com/logo.png”/>
<p>Read this nice <a href=”//example.com/2014/12/24/”>new post on cats!</a></p>
<p>Check out this <a href=”http://foo.com/”>other cool site.</a></p>
In addition to this, changes can also be as follows-
<h1>Welcome To Example.com</h1>
<script src=”/jquery.js”></script>
<link rel=”stylesheet” href=”//assets.example.com/style.css”/>
<img src=”//img.example.com/logo.png”/>
<p>Read this nice <a href=”/2014/12/24/”>new post on cats!</a></p>
<p>Check out this <a href=”http://foo.com/”>other cool site.</a></p>
From the given code, it is quite clear that changes can be made either protocol-relative i.e. starting with //example.com or host-relative like /jquery.js.
There are few things to take into consideration, which are as follows-
- Make changes in the script directly
- While linking website to other sites, don’t change the protocol
- Protocol relative URL is suggested to make the migration from HTTP to HTTPS smoother.
Redirect HTTP to HTTPS– Before redirecting, it is necessary to confirm few things and make a crucial decision, which is as follows-
- Hostname should have its own IP address thus there is need to use IP based hosting
- Do not redirect the page to HTTPS, if using 2.3 Android and IE on Windows XP
Sites that are using IE on Windows XP and 2.3 Android faces problems because they cannot understand Server Name Indication (SNI), which is must to use for implementing HTTPS name-based virtual hosting.
Turn On Strict Transport Security And Secure Cookies– Use of strict transport security is must that allows users to know that they should connect server via HTTPS. By setting the Strict-Transport-Security header and turning on HTTP Strict Transport Security the webpages can easily be converted to HTTPS protocol.
Client cannot send cookies over HTTP. This is because of the fact that security guarantee of their entire session is destroyed. The only way to secure the cookies is set the secure flag.
Migrations concerns-There are few concerns that are required to be considered while making website hosting changes from HTTP to HTTPS.
- Search ranking– Search engines give preferences to websites using HTTPS. In other words, they consider it a positive search quality indicator. Besides maintaining search rank, search engines like Google also publishes a guide on how to transfer, move, or migrate site from HTTP to HTTPS. Bing also publishes its guidelines for webmasters for better ranking by HTTPS protocol.
- Performance– The content and application layers must be well tuned, so that website performance is better. In addition to this, the TLS performance should also be taken into concerns because its affects is on the overall cost of the application.
- TLS performance can also be improved by making possible HTTP/2.
- Referer headers– Referer header is not sent to follow up links that come from HTTPS site to other HTTP sites. To solve this issue, there are certain ways, which are as follows-
- Migrate other site to HTTPS
- Make use of Referrer Policy standard. It helps provide solution for variety of problems associated with referer headers.
Add revenue– Sites showing up ads would never want that if their hostname is changed then it should reduce ad impressions.
Because of the fact that there are mixed content security concerns because of HTTP iframe that does not work on HTTPS page, it will be tricky to manage the ads.
The solution to manage ads on HTTPS protocol is that the advertisers must publish their ads over HTTPS. This is the only way to gain back the control over losing ad revenue.
