When I was working on this website, I noticed that some of the links on my site were not using HTTPS and were set to use HTTP. An average user wouldn’t know the difference, but I’ll try to explain why this affects you just as much as it does the web host.

HTTP & HTTPS: What do they do, and how are they different?

HTTP stand for HyperText Transport Protocol. It’s a protocol that allows information to be passed back and forth between the web server and the clients. The important piece of this protocol is the “S”. You might have guessed it, it stand for secure.

If you visit a website or a webpage, you will notice that they usually begin with “http://”. This means that the website is sending information back and forth to your device browser through an unsecured language. In other words, it’s possible for someone to “eavesdrop” on the information being sent between the website and your web browser. This is one of the main reasons why if you are making a purchase or entering any password, you should make sure that the website you are visiting is using https://.

Site using http:// on Google Chrome would show 
Site using https:// on Google Chrome would show

I’ll try to explain it in a different way so its’s easier to understand. Lets say you are registering to a website and you are required to create a user name and password. If the website you are on is using http://, when you enter in the username and password and click submit, the information sent back to the website is not secure. Thus if someone or a device has unauthorized access it could potentially see the information being sent from your browser to the website. In other words they would see that you created a password “abc123”. Now if the website is using https://, they would see “c4B2sA4Vfsh6Deb” instead of your password. This means that the information that is sent between the website and your browser is secure.

Google has released an article recently¬†stating that with the release of Chrome v68, Chrome will mark all HTTP sites and “not secure”.

Forcing HTTPS

If you are using a free SSL service such as Let’sEncrypt, you can generate an SSL certificate with them and install it on your website. Another thing you want to do is to force any links pointing to http:// to force it to use https://. One you can do this is by modifying your .htaccess file.

# Redirect HTTP to HTTPS
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

If you have any sub-domains, this will not force the redirects for them. You can generate a wildcard certificate or use CloudFlare and enforce https:// to be used for your website.

I’ll create a separate and more detailed post on how to access and edit the .htaccess file along with setting up CloudFlare for your website.

Leave a Reply