I have to migrate a website from HTTP to HTTPS and keep user experience unchanged (no warning popups). What would be the front end main points to be verified?
I realized I have to make sure all inclusions (CSS, images and JS) have to reference https content, but I'm still not sure about the a(link) href attribute and if there's anything I'm missing.
How to migrate to HTTPS is an excellent migration howto. The steps are:
Get and install certificates
Enable HTTPS on your servers
Make intra-site URLs relative
Redirect HTTP to HTTPS
Turn on strict transport security and secure cookies
Between step 3 and step 4, run through Qualys' best practices and test your site.
Updated Feb 02, 2016
Planning on moving to HTTPS? Here are 13 FAQs! visit https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC
I done of my website and works perfectly (it depends on the size of your site). My site is local business indexed (2,xxx) on google
1. No effect on SEO Ranking
2. No effect on link juice
Related links will ref to https automatically. All absolute links have to ref to https, unless you configure your htaccess file to redirect all http traffic to https.
Related
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
I have a node.js app.
I have it configured to redirect everything to https from http.
but i was thinking if the extra work to make the normal pages visible on http and the logged in pages only visible via https, would be worth the effort.
does having both in my app expose any security holes?
Yes multiple, including:
Cookies are shared between the two sites unless you remember to include the "secure" attribute each time you set a cookie.
You are vulnerable to MITM attacks (e.g. replacing a "login" link on http to either keep you on http or redirect you to another site instead).
Resources need to be loaded over https on the secure site or you will get mixed security warnings. It's easy to miss this when running mixed sites.
Users will not know whether pages should be secure or not.
Can forget to renew cert and/or see cert errors but this should be more obvious if whole site is https.
Cannot use advanced security features like HSTS.
And that's just off the top of my head.
Go https everywhere and redirect all http traffic to https. Unless you've a good reason not to.
There are other benefits too (user confidence, looks more professional, small SEO boast, Google sees this as two sites, easier management of sites, Chrome will soon block access to some features like location tracking on http, cannot upgrade to HTTP/2 until you implement https... etc.).
I'm having some annoying problems with my domain http://www.armfilmbihar.com..
I have Cloudflare flexible SSL on my joomla 3.3 site, and it makes a https call, IF I type it myself >< When I try to force https to be used on my site via a htaccess file I get a loop error.
On using the page rules from cf website, it is loading but it is showing parts as insecure content and thus blocking. How do I change all of them to https so that content loads with ssl?
Did you try the information in our knowledge base about mixed content?
Here is my problem:
I have set magento to run under SSL setting the frontend secure option on admin to Yes
The site run under cloudflare
I set a page rule on cloudflare (according to the support instruction) that goes:
http://fabshopper.com/*
Always uses HTTPS
I'm using ultimo theme in magento
When I open the site in the browser it shows the HTTPS connection but most of the content is not load because the links are HTTP (including CSS, Script, images).
Ultimo theme is supposed to create link either HTTP or HTTPS according to the magento settings, but the link I'm getting are HTTP
I ran out off ideas :(
Can anyone give me an hint?
Thanks
I go through link provided by you and found many URLs loaded from insecure server. check below few of them:
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/skin/frontend/ultimo/fabshopper/images/fab_shopper.png': this content should also be loaded over HTTPS.
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/media/wysiwyg/autumn-cardigans.png': this content should also be loaded over HTTPS.
Just change the HTTP to HTTPS of all insecure urls and it will solve your problem.
Since 1st Oct is coming. I am working on Secure Canvas URL stuff.
My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.
My question is, should every http request made by canvas.example.com also change to https?
e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?
thank you very much.
You should make all content served over https or the browser will show warnings.
Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate..
Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies..
Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..