Securing your website

In the past HTTPS was for protecting banking or e-commerce websites, but now it is becoming the ‘norm’. Google is heavily pushing the internet to become more secure and they consider HTTPS as a ranking factor.

HTTPS used to be expensive, complicated and slow, but this is no longer the case. Previously you had to buy certificates for each domain and even each sub-domain. Now you can get free trusted certificates from services such as LetEncrypt.

Installing the certificates was a manual process and renewing and maintaining them was also manual. Newer services allow the scripting of generating the certificate and renewal. This automation also enables the use of certificates with shorter lifespans due to the reduced time overhead of maintenance.

HTTPS creates extra round trips for certificate handshakes. This can have a significant impact on high latency networks like mobile networks. This can be reduced with security headers like HSTS, removing the need for the initial HTTP -> HTTPS redirect. The browser will automatically call the HTTPS endpoint. Also a HTTPS website can then support HTTP/2 which allows multiplex communication, which gives a significant performance boost. HTTPS allows the site to use modern browser features like Service Workers. This means the website can have much greater control over caching strategies and can even support offline use.

If tracking offsite clicks is important for your website you will have to look into CSP headers to preserve the referrer information when using HTTPS.

HTTPS has lots of benefits and can be relatively simple to implement.

Follow me on twitter @andyianriley
or see andyianriley @ linkedin.