HTTPS provides three essential layers of protection. Encryption. Encrypting the exchanged data to keep it secure. Data Integrity. Data cannot be modified or corrupted during transfer without being detected. Authentication proves that your users communicate with the intended website. Using an SSL certificate, let’s check a guide and checklist for the migration process from HTTP to HTTPS.
HTTPS – SSL Migration Guide
A little backstory before the SSL migration checklist
In 2014 HTTPS became a hot topic after the Heartbleed bug became public. This bug allowed people with ill intent to listen in on traffic being transferred over SSL/TLS. It also allowed them to hijack and/or read the data. Luckily, this bug got patched quickly after its discovery. This incident was a wake-up call that properly encrypting user information over the internet is necessary and shouldn’t be optional.
HTTPS – SSL Migration Guide
To emphasize the importance of encrypting sensitive data, Google Chrome (since January 2017) displays a clear warning next to the address bar whenever you visit a website that doesn’t encrypt – potentially – sensitive data, such as forms.
What is HTTP/2?
Released in 2015, the HTTP/2 specification is an upgrade to the HTTP protocol that allows for faster loading times and greater security. For most popular browsers, a protocol upgrade to HTTP/2 requires websites to use HTTPS. So if you’re planning to migrate from HTTP to HTTPS, it might also be worth looking into HTTP/2. When you do, you may also want to consider implementing HSTS…
How about HSTS, and what is it?
HSTS stands for HTTP Strict Transport Security and is a web server policy designed to protect websites from cookie hijacking and protocol downgrade attacks by requiring user agents such as web browsers to only use HTTPS connections. This reduces the likelihood of “man-in-the-middle” attacks designed to convert HTTPS connections to HTTP connections covertly and prevents the collection of cookie-based website login credentials.
What do to before migration?
Choose the right SSL certificate; You should purchase a certificate with a 2048-bit key. With SHA-2 from a certificate authority or upgrade your existing 1024-bit key. So, test it and set expiration date reminders. Certificate options are available for a single domain. Multiple domains (if you have subdomains) or wildcards (if you have dynamic subdomains). Moreover, you can choose between Domain Validation and Organization Validation. Extended Validation certificates (the last two options provide Advanced Features). But also more expensive requires proof of existence from your organization, and usually takes a few days to issue).
Best time to plan your migration to HTTPS: It’s a good idea to migrate when your site typically gets less traffic. Also, try to start at the beginning of the workday, when your dev and SEO colleagues can fix any issues.
Crawl an existing HTTP site: This is an opportunity to address any unresolved technical issues and get a complete picture of your URL structure. In conjunction with looking at your website’s backend. It will also help you identify any technologies that might arise during a migration outage. E.g., plugins, add-ons, external scripts, payment gateways, PDFs, and internal site searches. Also, if you are using a CDN, check to see if any factors should be considered when migrating (such as disabling or clearing the cache).
Benchmark ranking and traffic: If you haven’t already, it’s a good idea to benchmark your rankings for key search terms and set up an analytics platform (like Google Analytics) to monitor how these fluctuate before and after the migration.
How do I switch?
Because your data must be safe, we took steps in 2014 to ensure that we have SSL certificates across our websites. If you decide to switch (you really should!), there are a few things that you need to take into account to ensure your website fully works as soon as you’re ready.
- You need to change all your internal links. This also means updating links to assets (where necessary). Review your theme and alter references to CSS, images, and JavaScript files. Additionally, you can change all your links to start with instead
//
ofhttps://
which will result in protocol-relative URLs. - Ensure your CDN supports HTTPS SSL as well. We use MaxCDN, allowing you to set up SSL on your CDN subdomain easily.
- There are various levels of SSL that you can choose from, each with its pros and cons. You will find more information about that later on.
- Ensure you have a canonical link present in the section
<head>
of your website to properly redirect all traffic coming in fromhttp://
to.https://
Google also published a handy guide on moving to HTTPS without massively impacting your ranking, which can be found here.
How does this influence my rankings?
As stated in the previous section, moving from HTTP to HTTPS SSL can influence your rankings slightly if you don’t plan accordingly. However, your orders will improve over time after switching to HTTPS. Google announced in 2014 that having an SSL certificate would be considered a positive ranking factor, so it’s worth the investment. But make sure you follow the SSL migration checklist not to jump any step
To make sure Googlebot can re-index your website more rapidly after the move, make sure you migrate duringhttps://
low-traffic hours. This way, Googlebot can use more of your server’s resources. Just consider that a medium-sized website might take a while to regain rankings. Have a sitemap? Then Googlebot might be able to recalculate and re-index your website even faster.
Setting up HTTPS & SSL on your server
Generally speaking, hosting providers have a service to allow you to enable HTTPS/to order a certificate. You can choose from a few types of credentials, which differ in several ways. Every variant also has its price tag, so before purchasing one, make sure you go with a certificate that fits your needs and budget!
If you’re a bit strapped for cash and tech-savvy, look at Let’s Encrypt to acquire a free SSL for HTTPS migration certificate, and add to your checklist a review because some hosts add it for free.
If you run and manage your web server, there are a few things that you’ll have to enable in your server configuration before being able to use SSL certificates. This tutorial explains the steps to get a certificate running on your server.
OCSP stapling
Having to check the validity of an SSL certificate can result in a minor hit in loading speed. To overcome this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it contains the certificate’s validity based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.
Apache HTTPS SSL migration checklist
Before enabling OCSP stapling on your Apache server, please check that you’re running version 2.3.3+ of Apache by running the command apache2 -v
(or httpd -v
) on your server. Lower versions of Apache do not support this feature.
Suppose you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section. In that case, you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.
In that file, take the following steps:
- Inside the section
<VirtualHost></VirtualHost>
, you should add.SSLUseStapling on
- Just above the
<VirtualHost></VirtualHost>
section, addSSLStaplingCache shmcb:/tmp/stapling_cache(128000)
- Check that the configuration is still valid by running.
apachectl -t
If so, reload Apache by running.service apache2 reload
Nginx
Nginx also supports OCSP stapling. Before editing the server configuration, please check that you’re running version 1.3.7+ of Nginx by running the command onnginx -v
your server. Lower versions of Nginx do not support this feature.
If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.
In that file, add the following lines in the server {}
section:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
The last line references a file that contains a list of trusted CA HTTPS SSL certificates. This file is used to verify client certificates when using OCSP.
After adding these lines to the file, check that the configuration is still valid by running.service nginx configtest
If so, reload Nginx by running.service nginx reload
Strict Transport Security header
The Strict Transport Security Header (HSTS) is another handy feature that enforces browsers to use the HTTPS request instead of the HTTP equivalent. Enabling this feature is relatively painless.
Apache
If you’re running Apache, first enable the Apache Headers module by running.a2enmod headers
After this, it’s only a matter of adding the following line to your VirtualHost configuration (in the <VirtualHost></VirtualHost>
section) that you set up earlier for HTTPS:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Reload the Apache service, and you’re good to go!
Nginx HTTPS SSL migration checklist
Nginx requires you to add the following line in the server{}
section of your server configuration file:
add_header Strict-Transport-Security max-age=31536000;
Testing
To see if your SSL certificate is working correctly, head over to SSL Labs, fill in your domain name and see what kind of score you get.
Redirecting URLs
To ensure requests are correctly redirected to the HTTPS URL, you must add an extra line to your configuration. This way, traffic that tries to visit your website over HTTP will automatically be redirected to HTTPS.
Apache HTTPS SSL migration
In your default VirtualHost configuration (so the one that’s used for HTTP requests), add the following to ensure URLs get properly redirected:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
As with the other changes we made before, don’t forget to reload Apache to load the HTTPS SSL site!
Nginx
In Nginx, change the default configuration file that was used for HTTP requests and alter it as such:
server {
listen 80;
server_name your-site.com www.your-site.com;
return 301 https://your-site.com$request_uri;
}
Don’t forget to reload Nginx before testing these changes.
What do to After migration?
Set up Google Search Console and Bing Webmaster Tools: Add, verify, and configure www and non-www HTTPS versions of your site in Google Search Console, and update your version of Bing Webmaster Tools. If applicable, resubmit your disavow file, URL removal requests, and URL parameter settings.
Crawl the site again: Crawl the site again to verify that nothing is broken – or still loading over HTTP – and fix any errors.
Submit your XML sitemap and request indexing: Submit the updated XML sitemap to Google Search Console and Bing Webmaster Tools, and use their “Fetch as Google” and “Submit URL” features to submit the site to their indexes.
Update all references to your HTTPS website: If applicable, update the following: Social media platform, Social network share buttons (you may need to use share count recovery tool to avoid data loss), Facebook Open Graph Tags, PPC campaigns, Email Marketing Campaign and any other places you have shared your site without the HTTPS;
HTTPS SSL migration conclusion
“Should I switch over to HTTPS?” Short answer: Yes. Using HTTPS ensures that private (user) information is sent more securely across the web. Especially if you’re dealing with monetary transactions, HTTPS is a must.
What certificate you end up with depends on your specific use case and budget. Make sure to research your options beforehand properly.