In this guide we’ll learn what HTTPS is and why it’s important your site use it. We’ll also broadly address how to set up HTTPS, but for full instructions, check out one of these guides:
- HTTPS / SSL via “Let’s Encrypt” on an Nginx Web Server
- HTTPS / SSL via “Let’s Encrypt” on a Apache Web Server
HyperText Transfer Protocol Secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a browser and server.
When you visit a URL in your browser, that URL will start with either http:// or https://, depending on which protocol is being used. Often times, sites will be configured such that even if you try and visit it via http://, it will redirect you to the https:// version.
HTTPS has two goals/advantages over HTTP:
- Data transferred via HTTPS is encrypted so that if the data is compromised in the transfer via a man in the middle attack, the hacker would only see encrypted data.
- HTTPS provides a means of validating the identity of domains and servers by establishing a server as trusted and genuine by a Certificate Authority (CA).
In summary, HTTP can provide: encryption and validity.
It used to be that HTTPS was only used/expected for sensitive data transfer, such as logins, interactions with bank accounts, a health provider, etc. Now, however, it’s become best practices for all data transfers to be encrypted, and modern browsers will flag sites that are not using HTTPS as Not Secure.
HTTPS uses Transport Layer Security (TLS) (formerly known as Secure Sockets Layer (SSL)) to encrypt communication.
TLS secures communications by using an asymmetric public key infrastructure, i.e. it uses two different keys to encrypt communication between two parties (browser + server):
- Private key - this key is controlled by the owner of a website and it’s kept private. This key lives on a web server and is used to decrypt information encrypted by the public key.
- Public key - this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key.
To enable HTTPS, your site needs a certificate from a Certificate Authority (CA).
These can be purchased and range in cost from about $5 upwards of $100+ (example price/tier options from Namecheap...).
Using Let’s Encrypt will allow us achieve the goal of encrypting our data transfer, however, it does not offer the same level of domain/server validation that a paid-for certificate will. You should consider a paid-for certificate in any situation where you’re collecting/processing sensitive data (personal information, monetary transactions, etc.) and/or you want to communicate to your users that your site is secure and trustworthy.
Setting up HTTPS can be summarized by the following three steps:
- Step 1) Obtain and install a certificate on your server.
- Step 2) Generate keys for encryption.
- Step 3) Configure your server to load your site via HTTPS using the keys and certificate.
For more specific details, check out one of the following guides: