1. Home
  2. Web Security Solutions
  3. Solution – How to implement HTTPS for websites and web applications

Solution – How to implement HTTPS for websites and web applications

You can implement HTTPS by getting an SSL certificate from a certificate authority (CA). You can buy an SSL certificate or get one for free. The certificate is what allows the “HTTPS” to show before your domain name in web browsers. Certificate registration and activation seem to typically take about 24 hours from requesting a certificate to it being active and usable for a site.

Some hosting providers offer an almost automatic setup for HTTPS while others ask you to install the certificate yourself and set up your redirects. It usually depends on the hosting plan you have.

Many web hosting companies have their own way to implement HTTPS on websites they host. They usually provide a helpful guide in their support area.

Before buying an SSL Certificate, do these things:

  • Understand the different types of certificate coverage (i.e. Single domain, Multi-domain, Wildcard)
  • Change hard-coded URLs to relative URLs to prevent browsers highlighting Mixed Content warnings to users after HTTPS is active.
  • Check for crawling and indexing issues. Remove entries from the robots.txt file that block crawlers from the HTTPS version of the site. Avoid the noindex meta tag in the source code of web pages.
Information message

Note: Some CMS like WordPress provide plugins to rewrite hard-coded URLs. For static sites, you can use “find and replace” feature in text editors to remove any hard-coded “http://”  prefix).

After buying an SSL Certificate, do these things:

  • Confirm your site functions with HTTPS (no browser warnings about HTTPS errors issues). You can also use this website to check for HTTPS implementation issues: https://www.whynopadlock.com/
    Set the HSTS (HTTP Strict Transport Security) Response Header.
  • Setup server-side redirects (Status 301) from HTTP to HTTPS (e.g. using apache.conf, .htaccess, other redirect options from hosting provider)
  • Setup an auto-renew process – Don’t let your SSL certificate expire or browsers will show users a warning telling them your site is unsafe (because your certificate is now invalid).
  • Certificate mismatch – Use a certificate that covers all the domain and sub-domains your website uses, or browsers will show users a warning telling them your site is unsafe (because your certificate doesn’t match the domain it’s assigned).
  • Check for old protocol versions that are known to be vulnerable and disable them. E.g. SSLv3, TLSv1.0 – 1.1. Upgrade your TLS libraries as time progresses and stronger versions are released.

General steps to implement HTTPS on the web:

  1. Buy an SSL certificate from your hosting provider (e.g. GoDaddy, SiteGround, Host Gator)
  2. Installing a free certificate (e.g. Let’s Encrypt)
  3. Using a certificate offered through a third party (e.g. A web firewall service from Cloudflare.com)
Option 1 – Buy an SSL Certificate
  1. Host with a dedicated IP address.
  2. Buy an SSL certificate.
  3. Request the SSL certificate.
  4. Install the certificate.
  5. Update your site to enable HTTPS.
Option 2 – Let’s Encrypt

If you have shell access, install an ACME client like Certbot to automate the process.

  • Link to Certbot: https://certbot.eff.org/

If you don’t have shell access, then your hosting provider might support Let’s Encrypt through other ways. Here’s a list of hosting providers supporting Let’s Encrypt. Check if your provider is listed.

Additional resources on implementing Let’s Encrypt

How to verify HTTPS is implemented properly

  1. Use a browser to visit the domain of your website/web without the HTTPS prefix. E.g. www.example.com. Your browser should automatically redirect to HTTPS without any connection warnings in the address bar or on screen.
  2. Use a web scanner to check for HTTPS issues. (e.g. Qualys SSL Scan https://www.ssllabs.com/ssltest/ or https://www.whynopadlock.com/ or similar sites.

Why implement HTTPS

There are four (4) main reasons:

  1. Encryption — HTTPS encrypts the traffic between a users’ browser and your website/web application to protect it from sniffing and other forms of interception.
  2. Data integrity— HTTPS Protects data from being modified or corrupted during transfer, intentionally or otherwise, without being detected.
  3. Authentication— HTTPS proves that to users browsers that they are communicating with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
  4. HTTPS is the future baseline of web security, and Search Engines (such as Google) will treat HTTPS-enabled sites with preference in their search results.
  • Tips from Qualys SSL Labs – https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
  • Tips from Mozilla – https://wiki.mozilla.org/Security/Server_Side_TLS
  • Great post from Ayo Isaiah – https://medium.freecodecamp.org/free-https-c051ca570324

Godaddy

Updated on June 9, 2019

Was this article helpful?

Related Articles