Google pushing HTTPS and pleased to see HTTP connections fade. Without going into why an HTTPS website is better for everyone (for those interested: privacy, consistency, and security, and more), lets examine some steps and considerations for making the switch to a secure website setup:
- Get ready
- Purchase and SSL Certificate
- Configure hosting with SSL Certificate
- Change all website links to HTTPS
- Setup 301 redirects from HTTP to HTTPS or consider HSTS
- Conclusion
Step 1. Get ready
Before laying down any money on a SSL Certificate and changing your website, consider the task as a whole.
- Is Sales ready? If you run a seasonal site, making the switch to HTTPS at peak visitor times is not recommended. It is smart to expect downtime, that way if it happens you are prepared and it is during an off-time of day and sales cycle.
- Is your host ready? Before spending any money or configuring your site, make sure the host is capable of delivering an HTTPS website. For some hosts there may be some extra configuration involved and should help you with this.
- Is your team ready? Be sure to inform everyone involved in the switch that the website will be under maintenance, this includes sales teams, developers working on the site that you may need help from or will be working with, and visitors. Communication goes a long way.
- Are you ready? The process takes time and a lot of work at once. Once you start down this process of switching links and setting up redirects it might be hard to quickly reverse the whole thing and it is usually best to push forward. So, be prepared to monitor the site and be available for issues that arise. And, maybe.
Step 2. Purchase an SSL Certificate
Of all the steps, this is the quickest. Usually website hosts sell SSL Certificates and will even do most of the configuring for you. Just know your websites address and the difference between www.hostnetsecurity.com and hostnetsecurity.com, don’t assume a standard SSL Certificate will cover both! The expensive Wild Card certificates will cover both, but probably not necessary for most setups. If you think your website may need a special type of SSL Certificate, then consult a professional company that you trust, but this is a fairly rare requirement.
A quick note on the price SSL Certificates, particularly the “Extended” types: Some of these will make your website show up with a green lock in the address bar, see below:
Step 3. Configure hosting with SSL Certificate
If your website host does not setup the SSL Certificate for you, it will be a matter of generating keys from the seller and pasting them in to the website host control panel. Be mindful of the fields and always ask Support if needed, part of your hosting costs are paying for their help in these situations.
Once your website is configured properly, you will no longer see messages warning about invalid certificates when visiting HTTPS pages. You will probably need to clear your cache completely (not just use a Private Browsing window) to see these changes, when in doubt, ask someone to visit an HTTPS page of the site that has never visited the site before. Also to note, if you have not configured the actual website to be HTTPS friendly, you might get redirected back to the HTTP site. Every website host is a little different, some will have an entirely separate folder for HTTPS, so keep an open mind when getting things setup.
Step 4. Change all website links to HTTPS
Here is where all those years of hearing people say “use relative links” and “never hard-code your links!” will come into play (and now you can start saying it too and feel good about knowing why). Also, here is why using a Content Management System (CMS) will save some time as well. So, assuming your SSL Certificate is all setup…
Look for errors: At this point, hopefully all of your links and linked files are changed to HTTPS, but it is lucky to get them all on your first try. So, to find them, one way is to visit your site. Visit your site in Chrome/Safari/Firefox, right click an element, and click Inspect Element. From there, look in the Console for errors: if there are incorrect HTTP linked files, an error will be outputted for each one. Another way to look for HTTP links are to pull up source code for a page and search for anything with “http:” in it…hopefully nothing is found and your work is complete.
Step 5. Setup 301 redirects from HTTP to HTTPS or consider HSTS
For Apache-based websites, to redirect all incoming traffic, say from old Google links or dated links on other sites, setting up a redirect for all HTTP requests to be HTTPS can accomplished fairly easily. Here is some code to add to the top of your .htaccess file in your root folder:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Once that is in there, test thoroughly that your website is still functional and that any request made to your site is redirected to an HTTPS URL.
Step 6. Conclusion
Here we work with clients to convert their websites, both old and new, into HTTPS versions. It’s a process that we enjoy, because it gives lasting value to any company’s online presence. Which has continued to see success with their recent secure their website.
No comments:
Post a Comment