HTTPS Security Everywhere

In 2014, Google announced at their annual Google I/O for “HTTPS everywhere”. Four years on in their most recent announcement, they were pleased to share impressive stats, stating that “over 75% of Chrome traffic on both ChromeOS and Mac is now protected“. But, what do they mean ‘protected’? And, is HTTPS something you should be considering?

In no uncertain terms, YES.

Last year, Google announced there would be penalties for all sites that are not encrypted with HTTPS, marking them as “not secure” in Chrome. It has also become a ranking signal affecting search ranking algorithms, meaning by not using HTTPS as your transfer protocol it will harm your SEO.

But before you switch everything over, it is good to understand why and how; below is a breakdown.

What is a HTTP, and the difference between HTTPS?

HTTP stands for HyperText Transfer Protocol and is an application for transmitting and receiving information across the Internet.

HTTPS, on the other hand, stands for Secure HyperText Transfer Protocol and is basically a secure version of HTTP, using SSL (Secure Socket Layer) to transmit information from one point to the other. The SSL is an extra security layer that helps protect information; the main reason Google prefers HTTPS.

Configuring for Magento

Switching an entire website to HTTPS in Magento is pretty easy if your server is configured right and you have a valid SSL Certificate. See below a simple step:

1. Go to: System -> Configuration -> Web
2. Change your Unsecure Base URL to https
3. Go to Secure Tab and then set both Use Secure URLs in Frontend and Use Secure URLs in Admin to Yes

Simple enough, right? Just remember, whilst changing a website to HTTPS is easy, you need to consider other elements as well.

1. Redirects

When you configure your website to HTTPS and you have an SSL, it should automatically redirect the HTTP to HTTPS, however in some cases there may be an issue where the HTTP redirects to the Homepage instead.

Follow the steps below to stop this:

1. Go to System -> Configuration -> Web section
2. Set Auto-redirect to Base URL to No

2. Does your SSL include WWW?

One issue with some certificates is that you may have purchased them without the www. part of a URL. This can be an issue when the incorrect URL is used, though it’s easily avoidable so long as you set your Magento URLs to the URL matching the certificate.

You can always find an SSL certificate that allows both www and without, or if you have already bought one that only takes one, then you can insert a redirect rule to direct any wrong URLs to the right one.

3. Non-Secure Content

Images, CSS, and javascript can be an issue when switching as they are normally hardcoded, and can cause your browser to issue an unsecure page warning. You will need to review coding and update any content to load over HTTPS.

There are many tools that can spot any elements that are off, such as Chrome’s Developer Tools and Firefox Firebug.

If you have any questions for us about your current site or an upcoming project, feel free to get in touch, we would be more than happy to help. Head to our contact page for the details. We hope to speak to you soon!