Moving to https - simpler than expected?


(David Walsh) #1

Have just spent a little time moving a site from http across to https.

There are a few posts on these forums that offer various ideas about what to do. On reading these I gained the impression that this was not a straightforward matter.

After consulting with my webhosts ( who enabled https for me ) I was advised to include the following in the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule (.*) http://www.%{HTTP_HOST}/1 [R=301,L]_ _RewriteEngine On_ _RewriteCond %{SERVER_PORT} 80_ _RewriteCond %{REQUEST_URL} !cgi-bin_ _RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R=301,L]

This seems to have done the trick in making the entire site ‘secure’ as far as the browser is concerned.

Nothing in the site appears broken. The whole process appears to have been pretty simple.

However, given my initial reading I’m concerned that I may have missed out something vital.
Or - is it really much simpler than I thought?

Posting this partly to reassure others who may need to do this in due course.


(William VILLERS) #2

It is as simple as that :smile: Now, you might have to do some juggling with analytics with Google, MS, … But other than that, should be good to go.


(Jason Bostick) #3

Yeah, it can often be pretty straightforward. htaccess edits can be daunting to a lot of people (myself included) but it is often relatively simple.

One thing to look out for is to check that you don’t have any links or resources from elsewhere (whether that be fonts or images, etc) that have ‘http’ URL’s, as browsers will warn users that your site isn’t actually secure.


(William VILLERS) #4

Good point, forgot to mention that!


(Doug Bennett) #5

Might want to run your pages through why no padlock, this will check for mixed content.


(Tomas Jakobs) #6

congrats, welcome onboard… next destination: an A+ on https://observatory.mozilla.org and https://www.ssllabs.com/ssltest/


(David Walsh) #7

That seems to introduce a labyrinth of complications Tomas. Which bits are vital, say for sites not dealing with financial transactions?


(Doug Bennett) #8

A lot of what those tools cover is out of your control. Might want to take a look at this post:


(David Walsh) #9

Yes. It would be useful to come up with ‘simple https recipes’ that people can straightforwardly implement.


(Tomas Jakobs) #10

I am happy about every website moving to https but this road might be more bumpy and longer than expected. I’ve made the switch last year and first thought the same “this is easy” but the deeper you’re digging into security and privacy the more you will get 2nd thoughts and start to think how hard it is.

Labyrinth of complications? yes sort of. Worth only for financial websites? Not really, there a re many usecases where privacy and security matters. Think about all these ads and tracking-pixels everywhere. It’s a plague how we as users are tracked back.


(Doug Bennett) #11

Content Security Policy - is different than making a website HTTPS. It is much more involved, and most sites do not get an A+ rating.
Amazon - D
Bank of America - F
Mozilla - B
A good starting point if you are interested in CSP:
https://www.html5rocks.com/en/tutorials/security/content-security-policy/

As for HTTPS
the most important steps are:

  • Get your certificate installed
  • check for and fixed mixed content (active first, then passive)
  • Redirect HTTP to HTTPS

(Robert Ziebol 🖖🏼) #12

One thing to be sure to remember, is that if you use ANY LINKS to assets or stuff in your site, like warehoused images and stuff, be sure to change those URLS to https as well. Google does not like it if you don’t.


(David Walsh) #13

That looks eminently sensible Doug _and achievable too. Great to have that clarity on the difference between CSP and sorting out https. Ta!


(Doug Bennett) #14

Here is another check list that might help:
https://movingtohttps.com/