Are you considering a migration from the plain-old HTTP protocol to the secure HTTPS standard? Depending on your site, installations, and specific hosting circumstances this can be an easy or difficult task. We aim to make it easy for webmasters to implement this change in this guide which covers all essentials for this migration.
Choose your SSL certificate
One of the most important decisions that prospective migrations to HTTPS have to plan out is the type of the notwork security certificate that the website administrators want to implement. One of the reasons for choosing the secure protocol (remember the “S” stands for Secure) is that it helps to authenticate (validate) the data transfer between the visitors and the site over the setup encrypted stream of information. The presence of the HTTPS protocol and the proper setup will also enable the use of complex web applications, certain content management systems, and payment solutions.
We remind our readers that the HTTPS protocols enforce the use of a secure and encryption called TLS (Transport Layer Security). This allows the enforcement of encryption (encrypting the data), provisioning of data validation (the information is confirmed to not have been modified during transport), and authentication.
HTTPS is combined with a security certificate to validate the website to which the information is being posted. This is done to secure it from potential spying and manipulation as it travels around the networks and servers. To enable HTTPS a suitable certificate must be chosen. This is required before the HTTP to HTTPS redirection is performed.
We advise that you check with your hosting provider as most of them provide different types free of charge, part of the base platforms. The basics of the certificates is that there are different types of categorization. Usually, most registrars and hosting providers will base them following the validation criteria — that is as to what extent the website’s information and credentials have been verified by a trusted institution (Certificate Authority, also called CA). According to this classification, there are three main types of security certificates:
- Domain validated (DV) Certificates — This is the most common and “basic” type of certificate available to website owners. By design, it will verify that the used domain name matches with a registered public encryption key. They are very easy to set up, are issued very fast, and allow connections to be made. Apart from this, there are no other details that are validated. This is the reason why almost all of them are provided for free by hosting providers.
- Extended Validation Certificates — These certificates are produced to verify the legal organization that is behind the given website. It is regarded as a much more trustworthy and authoritative type of document. To have it issued the Certificate Authority (CA) organization will validate the provided data in a thorough check. This includes the domain contact details, business records (checking if the company is in good standing), verification via phone, and etc.
- Organization Validated (OV) Certificates — Unlike the previous type of certificates, these ones also verify the legal organization that is running the website. They are much more expensive due to the high validation requirements.
Usually, there are two places from where an administrator can obtain them — web hosting providers or the independent certificate authorities (CA). Commonly, it is easier and cheaper to buy one from the hosting provider that the web administrators use. They will also have detailed instructions on how to implement them.
Update all links For Proper Redirection
After the site certificate is installed in the proper way following the prescribed instructions by the hosting provider, the first steps to creating the necessary redirection links. This is the most important step, as this will lead to proper link building and internal structure that corresponds to the secure versions of the site as opposed to the plain HTTP.
NOTE: In the proper or inadequate rebuilding of the links will lead to potential browsing issues and a penalty in the ranking by the search engines. Redirection must be made very carefully.
- Relative Linking — This is a preferred method as it will properly even if the secure protocol is not wholly-established. In case of any errors in redirection implementation, the pages will still load the HTTP version. An example would be an URL like “http://www.example.com/link”, its relative link rewrite should be “/link”. The trailing slash is mandatory as it illustrates the top-down path to the given object.
- Absolute Address Linking — This is the other type of URL changes in which the full path is rewritten. This provides a more accurate object linking, however, if the certificate is not installed properly, or there is an error in the web server configuration many issues can be encountered.
301 Redirection Implementation
The best way to make this procedure once the certificate is properly installed is by using server-side 301 redirects. This is a specification, part of the secure protocol, that changes the HTTP URL of a page that confronts the secure communications scheme. This is considered the best way to make sure that the visitors, search engines, and other applications reach the site properly.
The easiest way to do a redirect on an Apache server is to edit the .htaccess configuration file and add in a special rewriting module (called mod_rewrite), then enable its function to do this procedure. In the configuration file add these two lines:
In this configuration file you can then place a line that gives instructions to the webserver on how and where to redirect a page:
Redirect 301 /retiredpage.html http://www.xyz.com/newpage.html
Changes for an entire directory can be the following:
RedirectMatch 301 ^/oldname/ http://www.xyz.com/newname/
Ensure that all URL addresses point to the HTTPS version of the pages and resources. Refer to NGINX’s documentation to learn how this is done on this webserver.
An important tip is to also make sure that the HTTPS is not blocked in the robots.txt file which is used by search engine bots for the purpose of ranking. In the secure pages it is important not to include noindex tags.
While HTTPS migration is not so difficult, it is very important to plan ahead. We recommend that you verify the URLs open correctly after the redirection has been made. Usually complex content management systems like WordPress and Joomla will automatically install themselves in the proper and will not require manual alterations to the objects that they control. This means that as long as data is not uploaded and linked using other methods, the administrators will not need to rewrite them.
HTTPS redirection is considered very important not only for the proper security, authenticity, and operation of complex and dynamic sites but also if they include payment processing and other elements that require sensitive information transmission. According to the best SEO practices, sites that operate using the secure protocol (as opposed to plain HTTP) are much more likely to rank higher.