How to set up a secure https connection on your site?

HTTPS is a secure communication protocol that provides cryptographic encryption of information on the network. In fact, this is an improved version of the HTTP protocol, which has been widely used to build Internet communications since the 90s. For the full operation of https, you need to install an SSL certificate on the site - a document that allows you to use private and public encryption keys. With https, any transactions become secure and messages private. The possibility of interception of personal data by fraudsters tends to zero. In this article, we'll show you how to install https and how to make your site secure in practice.

Why you need an https and ssl certificate

Without a special security protocol, communication channels remain open. Here is a simplified analogy. Imagine that the letter that you send by mail can be opened and read by anyone. At the same time, the envelope can contain not only friendly correspondence, but also bank data or other confidential information. This is how the http protocol works. Thanks to the SSL certificate, the “letter” is encrypted with a public key. In this case, only the recipient has the private key, and only he will be able to decrypt the transmitted information.

A secure site with https is needed, first of all, to:

• ensure the security of financial transactions;
• increase user confidence in the site and its owners;
• save traffic - modern browsers simply don't allow users to visit pages without SSL installed;
• Prove the reliability of the resource to search engines - otherwise you can get the status “this website is not secure”.

The webmaster doesn't really have to choose between http and https anymore. Without a security protocol, the resource is simply not viable.

How https works

In general terms, the scheme of work can be represented as follows.

1. The user sends a request to connect to the site through the browser.
2. The browser asks the site for SSL certificate details.
3. The site sends the requested information.
4. The browser authenticates the security document through the certificate authority.
5. After verification, the browser and the web resource generate a symmetric key, with which all transmitted information is subsequently encrypted.

Now, even if the user's data gets to third parties, they will not be able to read it. Security will ensure a secure site connection.

Types of SSL certificates

By number of domains:

• single domain - the document is valid only for one domain or subdomain;
• WildCard SSL - certificate for an unlimited number of domains.

By degree of verification:

1. DV - domain validation. The easiest, cheapest and most common option. To receive the document, the webmaster only needs to confirm ownership of the domain.
2. OV - organization validation. Issued after verification of the company and legal entity that applied for the certificate. It costs more than DV. It is sometimes necessary for online stores and sites that work with online services for accepting payments.
3. EV - extended check. The most difficult type of protocol to obtain. To confirm information about the organization, an employee of the certification center can contact a representative of the applicant company. If the site has EV-level SSL installed, a green bar and the name of the company owner of the resource appear in the address bar of the browser next to the page url. This increases user confidence. Extended validation protocols are rare - they are purchased by banks and large international corporations that value online reputation.

https connection process

Setting up a secure connection for a site is a multi-step process. Each of them should be treated carefully in order to avoid further problems with access to the resource and its ranking in search engines.

Preparation

1. Change absolute internal urls to relative ones.

After connecting SSL, the platform completely switches to the https protocol. If some internal documents continue to link to pages with the http prefix, a security conflict will arise - the site will not be considered secure. Therefore, all absolute links like http://exemple.com/contacts should be replaced with relative ones - /contacts.

If search engines detect mixed content on a page, the user will see a “Site connection is not secure” error. How to fix it? Only by changing all links.

2. Checking scripts and external content.

Pictures, videos and scripts can also be downloaded from http links. Such materials need to be changed or removed. In the case of scripts, rewrite links to relative ones.

3. We conduct a technical audit.

Before changing the protocol, it is necessary to check the merging of mirrors, remove broken links, fix incorrectly working scripts.

Purchasing a certificate

To purchase SSL, you need to contact a certificate authority or your hosting provider. You can choose the simplest domain option - DV - and immediately generate a CSR key, which will be needed later to configure the protocol. After paying for the order and confirming the domain, a secure certificate for the site will be ready either immediately or in a few days.

Protocol settings

The exact steps to install SSL depend on your hosting and CMS. We will not dwell on them in detail, since each site has its own step-by-step instructions. We only note that among the mandatory actions will be:

• prescribing a key and uploading certificate files to hosting;
• editing the .htaccess file;
• updating server settings in CMS.

Site optimization

In order not to lose positions in the search, after switching to a secure site protocol, you need to perform a number of actions.

1. Gluing mirrors.

In Yandex.Webmaster, in the "Moving site" section, check the "https" box.

Google Search Console has a "Change name" section.

2. Setting up robots.txt and sitemap.xml.

Be sure to update the service files in the webmaster panels. In robots.txt, you will need to change the Host directive. The sitemap file is regenerated.

3. Updating analytics counters.

It is necessary to re-generate and add Yandex Metrica and Google Analytics counters to the site.

Conclusion

The error “The site is not protected” can fatally affect the reputation and traffic of the resource. To prevent this from happening, you need to purchase and then update the SSL security certificate in time. With it, user data will be protected, and the site will work on a modern, encrypted connection.