Moving to https - simpler than expected?

Have just spent a little time moving a site from http across to https.

There are a few posts on these forums that offer various ideas about what to do. On reading these I gained the impression that this was not a straightforward matter.

After consulting with my webhosts ( who enabled https for me ) I was advised to include the following in the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URL} !cgi-bin
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

This seems to have done the trick in making the entire site ‘secure’ as far as the browser is concerned.

Nothing in the site appears broken. The whole process appears to have been pretty simple.

However, given my initial reading I’m concerned that I may have missed out something vital.
Or - is it really much simpler than I thought?

Posting this partly to reassure others who may need to do this in due course.

It is as simple as that Now, you might have to do some juggling with analytics with Google, MS, … But other than that, should be good to go.

Yeah, it can often be pretty straightforward. htaccess edits can be daunting to a lot of people (myself included) but it is often relatively simple.

One thing to look out for is to check that you don’t have any links or resources from elsewhere (whether that be fonts or images, etc) that have ‘http’ URL’s, as browsers will warn users that your site isn’t actually secure.

Good point, forgot to mention that!

Might want to run your pages through why no padlock, this will check for mixed content.

congrats, welcome onboard… next destination: an A+ on https://observatory.mozilla.org and https://www.ssllabs.com/ssltest/

That seems to introduce a labyrinth of complications Tomas. Which bits are vital, say for sites not dealing with financial transactions?

A lot of what those tools cover is out of your control. Might want to take a look at this post:

Yes. It would be useful to come up with ‘simple https recipes’ that people can straightforwardly implement.

I am happy about every website moving to https but this road might be more bumpy and longer than expected. I’ve made the switch last year and first thought the same “this is easy” but the deeper you’re digging into security and privacy the more you will get 2nd thoughts and start to think how hard it is.

Labyrinth of complications? yes sort of. Worth only for financial websites? Not really, there a re many usecases where privacy and security matters. Think about all these ads and tracking-pixels everywhere. It’s a plague how we as users are tracked back.

Content Security Policy - is different than making a website HTTPS. It is much more involved, and most sites do not get an A+ rating.
Amazon - D
Bank of America - F
Mozilla - B
A good starting point if you are interested in CSP:

As for HTTPS
the most important steps are:

• Get your certificate installed
• check for and fixed mixed content (active first, then passive)
• Redirect HTTP to HTTPS

One thing to be sure to remember, is that if you use ANY LINKS to assets or stuff in your site, like warehoused images and stuff, be sure to change those URLS to https as well. Google does not like it if you don’t.

That looks eminently sensible Doug _and achievable too. Great to have that clarity on the difference between CSP and sorting out https. Ta!

Here is another check list that might help:
https://movingtohttps.com/