10 Steps to Transfer a Website from HTTP to HTTPS

Aug 1, 2018 | Jindřich Zechmeister

Installing an SSL/TLS certificate and securing a website is inevitable but not complicated. However, it is advisable to be cautious and to consider all the related aspects. Today´s article should help readers install the certificate without any complications.

Step One – Assess Security Risks on your Website

The first step is to explore all web addresses (URL) and make sure they work with the HTTPS protocol and that you can change them if necessary. Editing links to the website itself is quite simple and you can do it with the help of a webmaster; if the links are relevant (see Step Five), it will not be necessary to edit the links in any way. If you use HTTP in the links in the website's source code, you will have to ask the webmaster to change the links in the database directly.

Besides the content itself, it is necessary to check the external content and everything you download from outside. HTTPS of the content source has to be functional, which is not always the case. If HTTPS is unavailable, there will be a problem with mixed content, which is a topic covered in Step Five.

When analysing your website, you should evaluate all external tools, plug ins and extensions. Exclude the ones you do not need urgently. Prefer Open-source solutions and do not use add-ons which are not regularly updated and therefore do not have corrected security loopholes.

Step Two – Create a Backup

You should create a backup before you make any more serious change to the website, which includes deploying a certificate. In theory, not much can go wrong but you probably know Murphy's law, so it is better to be sure. We recommend you discuss the backup with your web host or administrator. From the provider's side, the backup and restoring from backup is easy because it has automated tools. The administrator or webmaster can create a backup of the website manually.

Step Three – Choose the Right Certificate

Getting a certificate is easy. Choose a certificate at SSLmarket.com based on the form of verification, level of authentication and price. Even when you choose the cheapest SSL/TLS certificate such as RapidSSL, you cannot go wrong and your website will be safe and trustworthy. If you need help choosing, do not hesitate to use our guide on how to choose an SSL/TLS certificate. If you want to have your company name next to the address bar (as you can see at www.SSLmarket.com), make sure you choose an EV certificate with extended verification. Your website will be fully trustworthy with any SSL/TLS certificate from the SSLmarket offer and your visitors will not get any error messages or warnings.

Step Four – Get and Deploy an SSL/TLS certificate

You will receive the newly issued SSL/TLS certificate by email and then proceed to install it. If you do it yourself, you will certainly appreciate the procedures in our SSLmarket Help.

To install, you need access to the server and it is more suitable for an experienced administrator as there may be complications leading to problems, such as malfunction of the web server.

The right webhost will enable you to deploy the certificate through service administration, for example web host CZECHIA.COM enables the installation of a free or commercial certificate on one server with one click. Why not use it?

Step Five - Mixed Content

Mixed content is everything which is loaded onto a website via the unsecured protocol HTTP. With static elements such as pictures, the encryption of a website is disrupted and the browser displays a warning. If the elements are, such as scripts, they will get blocked by most browsers. Mixed content therefore means that visitors will see a security warning in the browser and their safety and trust will be undermined; or the given element will be blocked and not visible on the website, which will negatively affect the usability of the site.

When inserting all elements into the website, use relative URL addresses and do not specify HTTP or HTTPS protocols directly in HTML links.

Step Six – Comply with Safety Standards

An SSL/TLS certificate on a website is only a tool to ensure the security of visitors. It does not determine the security of the site. Therefore, it is important to stick to up-to-date safety recommendations and standards.

An example of good practice is to disable old SSL protocols that are considered dangerous and to use only their safe successors called TLS protocols. You need to approach cipher settings on your server. Poor setup can completely degrade the website's security, and the certificate is unnecessary. Keeping track of and assessing current security threats and trends is demanding, and practically no ordinary site owner has time to do so. Administrators at least watch current security events. That's why it's good to use a tool that will work it out for you - for example, the SSLlabs.com test. The test will show the security status of the site and will very accurately show the weaknesses to be resolved. With this tool, it is easy to set up a website safely.

Step Seven - Redirect HTTP to HTTPS

The most important step after certificate installation is redirecting HTTP to HTTPS. It has to be done manually (it will not work automatically after deploying a certificate) and this task can be given to your server administrator or you can ask your web host.

If the redirection does not happen, visitors will use HTTP (unless they manually write HTTPS in the address) and the certificate will be more or less superfluous. From the SEO point of view, redirecting with the 301 status code is a must, otherwise Google will see two identical versions of your website and the site ratings will split between them.

Step Eight - Deploy HSTS

HSTS stands for HTTP Strict Transport Security. This is an HTTP header extension that ensures all HTTPS traffic is secure. Simply said, after deploying HSTS, it will no longer be possible to "get" onto the site over an unsecured HTTP protocol.

Using HSTS requires good certificate management, because if a certificate expires on the site, all your visitors will see this error. Customers at SSLmarket.com are notified about the certificate expiration once a month in the form of a summarising statement, then several times in the given certificate, and customers can set auto renew with automatic reimbursement. This avoids the expiration problem. Of course, the administrator must not forget to deploy the extended certificate!

Together with the HSTS mechanism, the supplementary HPKP technology is often mentioned. This is a public definition of the keys (i.e. certificates) that can be used for the website. They can be added to the list of domains available through HSTS in the browser itself. In practice, it is a very dangerous tool. We definitely do not recommend you use it because you can completely disable your site for the time the header is valid for. Typically, the validity is set for 31536000 seconds, which is one year(!).

Step Nine - Secure Cookies

Secure the cookies your site uses. Cookies are an expression that you certainly know from the annoying bars of almost all the websites you encounter on the Internet. They are small files that store a visitor’s information and identification. You must ensure that you use secure cookies on the server side. This guarantees the "HttpOnly" and "Secure" flag; a secure cookie means that it is transferred to the client using HTTPS and the content cannot be intercepted. As the next level of security, it is possible to deploy cookie encryption. They will no longer be saved as plain text files for the visitors they but will be encrypted. This avoids the theft of a site user’s login.

Step Ten -  Use One Form of URL and Check SEO Tools

In the seventh step, we introduced the redirection from HTTP to HTTPS. It was not just for security, but also because of SEO. One page available on both HTTP and HTTPS also means double separate content for search engines (logically duplicate). And that definitely is not good. A similar problem is the function of the site on the bare domain and on WWW domain; also this duplication must be removed by redirecting. Duplicate pages even occur in the presence or absence of a slash at the end of the URL (such as Wordpress and other publishing systems).

For Google Analytics, which you certainly use on the web, the HTTP and HTTPS site may appear as two different hostnames, which affects SEO and the usability of Google Analytics. Just like for the formats name-domain.cz and www.name-domain.cz. After redirecting from HTTP to one URL format with HTTPS, make sure that the SEO tools you used only use one domain form.

Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com