The HTTPS protocol provides greater security for your websites by encrypting the communication, it maintains the privacy and integrity of the information exchanged.
Reasons for enabling HTTPS
Using HTTPS for your site is often free, fast and can even improve your site’s search engine rankings.
Google Chrome marks websites without HTTPS as “not secure”. Upgrading to HTTPS is an important step in establishing and maintaining customer trust.
Facebook will soon require all uses of Facebook Login on the web, including API calls with our JavaScript SDK, to happen exclusively from pages served over HTTPS. This protects user access tokens from network exposure, while maintaining the security of people’s data and the authenticated activities of your app.
How to enable HTTPS
To enable HTTPS, use a certificate registrar to obtain a certificate that identifies your site.
Install the certificate on your web server and configure TLS. There are a number of free tools available for popular web hosting providers, platforms that can automate most or all of this process in many common situations.
After enabling HTTPS for your site, you should test and make sure everything is working as expected. The ‘Upgrade Insecure Requests’ HTTP header can help you automatically fix the most common problems encountered during an upgrade.
The recommended certification authority
Let’s Encrypt is a free, automated and open certificate authority recommended and supported by Facebook.
for web hosting services
Let’s Encrypt integrates with more than 100 web hosting providers. If you don’t see your service provider in the following list, check if your provider supports the cipher. If you have shell access to your server, you can usually follow the steps to use encryption for self-hosted websites, even if you don’t find your hosting provider listed on this page.
For self-hosted websites
If you host your own website, Let’s Encrypt provides automated tools to obtain and install a certificate for a wide range of operating systems and web server software. If you are setting up your own web server, a useful tool is Mozilla’s SSL configuration generator.
Popular hosting providers and platforms
If you’re deploying your application through a cloud hosting provider, many provide support for HTTPS as part of their basic service offering. You can often run it using the administrative tools you already use.
Here are links for some of the most popular hosting providers offering integrated support.
Amazon Web Services
AWS Certificate Manager provides free, integrated management and deployment of SSL / TLS certificates for AWS resources, such as Balastic Load Balancers, Amazon Cloudfront distributions, and more.
Microsoft Azure
The Azure portal includes built-in support for purchasing and installing a commercial license. You can also use auto-renew, free of charge, from Let’s Encrypt with an unofficial site extension.
IBM Cloud
IBM Cloud Certificate Manager provides a free tool to manage many of the configuration tasks related to certificate management and service configuration. You will need to obtain your own certificates for custom domains from a certificate authority, such as Let’s Encrypt.
Google Apps engine
Google App Engine offers HTTPS support with globally distributed, load-balanced endpoints and can be automatically enabled with free managed certificates. Learn how to enable HTTPS for your custom domains in Google App Engine.
Alibaba Cloud
Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on the Alibaba Cloud.
Heroku
Automatic certificate management automatically manages TLS certificates for applications with Hobby and Professional dynamos in the shared runtime, as well as for applications in Space Spaces that enable the feature.
Other platforms:
Shopify
Area
Wix
Enabling HTTPS using a CDN
If you use a content delivery network (CDN), they may have managed offerings to help you deploy HTTPS, such as Cloudflare’s SSL-secured CDN or Akamai’s.
Checking your site and fixing common problems
For the page to be secure, all the parts that make it up must claim HTTPS. If your site isn’t working or your browser is showing warnings after installing the certificate and configuring your web host to support HTTPS, you likely have mixed content. This happens when a secure page tries to load something that isn’t secure. For example, from an HTTPS page, browsers display a warning when loading print media such as< img src = “http://example.com/test.png”> , and will completely block the scripts and other insecurely active content, such as< script src = “http://example.com/sdk.js”> .
There are several ways to fix this, such as using a script or rewrite rules to update link paths on your site. But the easiest solution is to use the insecure upgrade requests property of the content security policy.
This can be done by setting the following HTTP header:
