This article covers the general steps required to ensure your website pages, scripts, styles, and media are loaded over HTTPS.
Why should you secure your site over HTTPS?
If you are providing a service that transmits ANY type of data from your website users via a Form (or other means) without an SSL certificate, you are putting your user's information at risk.
Google has a great article that summarizes this importance.
Frequently Asked Questions about SSL
What do I need to do to make my website secure?
There are various levels of security, however the first and most important step to securing your website is switching the communication protocol from HTTP to HTTPS. This ensures that all data exchanged between the client (browser/visitor) and the server (your website) is encrypted and not transferred over the internet in plain text.
When switching to HTTPS, you must have a valid SSL signed certificate purchased from a trusted provider.
Upgrading a site to SSL often requires some development and review to ensure that ALL resources being loaded across the site are also loaded over HTTPS and that the appropriate redirects are in place.
Security doesn’t just stop at having all assets served over HTTPS though. There are countless potential vulnerabilities that can exist on web server or application itself. Regular penetration tests and vulnerability scanning is highly recommended.
I’m not collecting any credit card information through my website, do I still need an SSL certificate?
If you don’t have an SSL certificate data exchanged between the client (browser) and your website (server) are sent in plain text. Even though you don’t have any forms collecting credit card payment information, you may have forms that collect Personal Identifiable Information such as Name, Email, Phone Number, Address or other confidential information. Protect your visitors.
I already have an SSL certificate installed, do I need to do anything else?
If you already have a valid SSL certificate installed, congratulations you are one step closer to having a secure site.
Not all SSL certificates are created equal however. Some SSL certificates can be served with deprecated or ciphers with known vulnerabilities that can be exposed by hacker. It is recommended to proceed with vulnerability scanning and penetration testing.
Can we bring our own SSL certificate or do we need to purchase one from Agility?
In most cases we install and utilize an SSL certificate that you provide. We’ll need to connect and ensure we receive it in the right format and we’ll validate the certificate’s authenticity. Otherwise, we can purchase an SSL certificate on your behalf.
- Purchase an SSL Certificate
- Install your SSL Certificate
- Add URL Redirections to your Web Application
- Remove any Static references to HTTP resources
- Add a Replacement Filter to Replace Dynamic references to HTTP resources
Purchase an SSL Certificate
If self-hosting, you must purchase your own certificate directly through a trusted third-party vendor such as Go Daddy.
If your site is being hosted by Agility, please contact firstname.lastname@example.org and an SSL certificate can be purchased on your behalf. This would include SSL installation and management.
Install your SSL Certificate
If self-hosting, you must install your SSL certificate either direct to IIS, or via your cloud portal (i.e. Azure or AWS). Go Daddy has a great reference guide for how to install SSL certificates.
If your site is hosted by Agility, the SSL certificate will be installed as part of your SSL services agreement.
Add URL Redirections to your Web Application
After you've installed your SSL certificate, you should be able to access your website over HTTPS. However, you may also be able to still browse your site over HTTP. In order to ensure all of your users take advantage of your new security, you'll need to redirect all requests to HTTP to HTTPS.
This can be done a number of ways, however one recommended way to do this would be using a URL Rewrite rule in your web.config.
Remove any Static References to HTTP Resources
You web application may have "hard-coded" references to internal or external resources such as CSS, Scripts or other over HTTP. If this is the case, browsers will warn you that even though you have an SSL certificate installed on your webpage, the page itself is still considered insecure due to links to insecure resources.
Check your code for ANY static references to HTTP resources and update them to HTTPS.
Add a Replacement Filter to Replace Dynamic References to HTTP Resources
Since your web application ultimately serves content from a CMS, an editor may inadvertently place a link within an HTML/WYSISYG area to an insecure HTTP resource.
To resolve this, it is recommended to implement a Replacement Filter Module that runs just before the entire rendered HTML is returned to the client (browser). This allows you to programmaticly "Search and Replace" links in your HTML and modify them to be over HTTPS.
Our article on Updating your Media & Documents CDN URL details how to use a Replacement Filter Module to convert non HTTPs CDN urls to HTTPS. The same logic an be applied for other external services as well.