This article provides you with information on how to secure your Domain with SSL.
If you are collecting ANY sensitive information on your website (including email and password), then you need to be secure. One of the best ways to do that is to enable HTTPS, also known as SSL (secure socket layers) so that any information going to and from your server is automatically encrypted. This prevents hackers from sniffing out your visitors’ sensitive information as it passes through the internet.
Your visitors will feel safer on your site when they see the lock while accessing your website – knowing it’s protected by a security certificate.
Overview
The best thing about SSL is it’s simple to set up, and once it’s done all you have to do is route people to use HTTPS instead of HTTP. If you try to access your site by putting https:// in front of your URLs right now, you’ll get an error. That’s because you haven’t installed an SSL Certificate.
Setting up HTTPS on your website is very easy, just follow these 5 simple steps:
– Host with a dedicated IP address
– Buy a certificate
– Activate the certificate
– Install the certificate
– Update your site to use HTTPS
Step 1: Host with a dedicated IP address
In order to provide the best security, SSL certificates require your website to have its own dedicated IP address. With a dedicated IP, you ensure that the traffic going to that IP address is only going to your website and no one else’s.
Step 2: Buy a Certificate
Next, you’ll need something that proves your website is your website – kind of like an ID Card for your site. This is accomplished by creating an SSL certificate. A certificate is simply a paragraph of letters and numbers that only your site knows, like a really long password. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is – and it encrypts everything flowing to and from it.
Technically this is something you can create yourself (called a ‘self-signed cert’), but all popular browsers check with “Certificate Authorities” (CA’s) which also have a copy of that long password and can vouch for you. Please see here how to purchase a certificate with 1-grid.
Step 3: Activate the certificate
If you’re activating the certificate yourself, the next step is to generate a CSR. It’s easiest to do this within your web hosting control panel – such as WHM or cPanel. Go to the SSL/TLS admin area and choose “Generate an SSL certificate and Signing Request”. Fill out the fields in the screen below:
“Host to make cert for” is your domain name, and the contact email can be blank.
Copy the first block of text. You’ll need this “CSR” to give to the SSL cert issuer so they can establish your identity. Login to your account (or wherever you bought your certificate) and activate it. Paste your CSR and any other fields needed. It will ask you for an approver email. This is an email address that proves you own the domain, ie ssl@1-grid.com. If it doesn’t exist, you’ll need to create it so you can get the email that contains the final certificate. Follow the steps and when you are done that email address should have received the cert as a .crt file.
Step 4: Install the certificate
If you’re installing up the certificate yourself, this is the easiest step you’ll ever do. You have the certificate in hand, all you need to do is paste it into your web host control panel. Please see the article here on how to install your SSL.
Paste it into the first box and hit submit. That’s it! Now try to access your site via https://www.domain.com – you should be secure!
Step 5: Update your site links to HTTPS
At this point, if you go to https://yoursite.com you should see it load! Congrats, you’ve successfully installed SSL and enabled the HTTPS protocol! But your visitors aren’t protected just yet, you need to make sure they’re accessing your site through HTTPS!
Keep in mind that you typically only need to protect a few pages, such as your login or cart checkout. If you enable HTTPS on pages where the user isn’t submitting sensitive data on there, it’s just wasting encryption processing and slowing down the experience. Identify the target pages and perform one of the two methods below.
You can update all links to the target pages to use the HTTPS links. In other words, if there’s a link to your cart on your home page, update that link to use the secure link. Do this for all links on all pages pointing to the sensitive URLs.
However, if you want to ensure that people can only use specific pages securely no matter what links they come from, it’s best to use a server-side approach to redirect the user if it’s not HTTPS. You can do that with a code snippet inserted on top of your secure page. Here’s one in PHP:
// Require https if ($_SERVER['HTTPS'] != "on") { $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; header("Location: $url"); exit; }
Another server-side approach is to use mod-rewrite. This won’t require you to change any of your website files but will need you to modify your apache configuration. Here’s a nice mod-rewrite cheat sheet, or just use this example:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(cart/|checkout/) https://%{HTTP_HOST}%{REQUEST_URI}
This will ensure that if anyone accesses a page via HTTP they will automatically be redirected to HTTPS.