Https on websitethe https on the website
While there is a great deal of proof to suggest why everyone should jump on the HTTPS train, many still don't see the value of operating their locations safely. I have already commented on the value of HTTPS, but only to repeat it: HTTPS secures user from Man In the Middle attack.
And if you aren't sure, check out doesmyseedhttps.com to get a complete idea of why every website should be secure. Anxious to keep visitors away from unsafe Web pages, Browser shames Web pages that are operated unsecurely in certain context. The Firefox also alerts the user when trying to fill out an unsecure registration request.
In order to avoid that your website shows this alert to your visitors, you only need a current SSL-Enctificate. Indeed, I will show you how to use HTTPS on your website for free with Cloudflare. What's with the flickering clouds? With CloudFlare, you can help protect an SSL Certificates for free, no matter what server-side you have.
Also works for websites hosting on a platform that does not offer servers, such as GitHub Pages, Ghost and the like. That makes it a really great choice to use HTTPS on your website, and the set-up should take no longer than 10 min. literal. There are also a number of other advantages in terms of safety and website performing that I will not be covering here.
Cludflare is in the midst of communication between your website visitor and your servers. As a mediator between your web servers and the users of your website, Cloudflare will help to eliminate any illegal content so that only the best gets through. Now, you might wonder if all this could have a negative impact on the performance of your website, but it's just the opposite.
Cloudflare has datacenters all over the world, so it simply uses the closest end point for your visitors, which should make your website much quicker than before. Well, now that we know how to work with Cloudflare, let's take a look at how to set up a website on its own hardware and how to access HTTPS for free.
Cloudflare focuses on the free functionality, but be aware that chargeable maps are also available with a number of additional functions. Once you have logged in to Cloudflare, the first thing you need to do is attach a domainname and start scanning the DNA entries. As soon as the scanning is complete, all entries in the domains are shown.
Select the subdomains on which you want to activate Cloudflare and make any changes you want. Next, you need to modify the name servers in your registration to those provided by Cloudflare. It is a different procedure for each and every registered member, so ask your registered member.
After a while, click Check nameservers to see if your website is now running on Cloudflare. It is the longest part of the set-up and can take up to 24 hrs, but in my opinion it took less than 5mins. As soon as your name server update has been verified by Cloudflare, your website becomes live on the Cloudflare website.
When you want to be sure that your DNA preferences have spread everywhere, What's My DNA provides a way to verify which addresses your domains are resolving to in different places. In this way, you can be sure that all data transfer to your domains is now directed through Cloudflare.
Make sure that your web browsers do not use the old DNA entries from its own registry before you begin to configure Cloudflare. You can do this in Chrome and Firefox by deleting your browsing history. Please note that this is not possible in Firefox. While SSL is still a premier quality online experience, many Certification Authorities bill significant fees before they issue an SSL Certificate.
With Cloudflare in the midst of your web interactions, you should install SSL on your domains now. Up to 24 hrs may take until the certification becomes effective, but in my opinion it does not take long at all. As soon as the certification becomes effective, upload your website in a webbrowser.
As you should see, the page is operated via HTTPS and a beautiful verdant lock in the addressbar. When you look at more information about the certification, you will see the certification authority that awarded it (in my case Comodo) and the expiration date. Cloudflare's great feature is that the extension is done on your behalf so don't worry.
CLOUDFARE makes it really simple to get SSL on your site for free without having to configure anything, but it's not always the same as delivering your site over SSL directly from source. This will encrypt data between your website visitors and the cloud flare, but this will not go back to the original servers.
Cloutflare still talks to your servers via simple HTTP. That means that any Man In The Middle (e.g. networking provider) between your servers and your cloud flare can see the music. Do not use this setting if you are collecting sensible information on your website. To obtain cryptography up to the original servers, you must use the full or complete (Strict) deployment.
Installing a legitimate SSL key on your computer will require you to create a legitimate SSL key on your computer, but the certificates will not be authenticated, so you can use a self-signed one. However, the Full (Strict) deployment will require you to set up a legitimate SSL Certificates that has been authenticated by a trusting CAs.
When you don't want to buy SSL from Comodo, you can get free Origin CA Certificate from Cloudflare that can be used with either Full or Full(Strict) option because Cloudflare trusts them. Remember, these certifications are only used by Cloudflare, so they won't work if you choose to remove your website from Cloudflare's infrastructures.
When you do not monitor your servers environments, e.g. when your website is host on GitHub Pages or similar platform, you cannot use the Full or Full (Strict) implementation, which means that although your user sees HTTPS in the location bars, data transfer is not encoded to the original servers.
However, this is still a huge enhancement over no HTTPS because it will prevent your user from being on the Man In The Middled Side. Regardless of which SSL deployment you choose, there are ways to empower them to ensure that your site can never be accessed by your end user via unsecure HTTP.
Although I get an A-note on my domainname, when you get into the results you will notice that there is definitely room for improvements in the key exchange and encryption strength page. Let us take a look at a few things we can do within Cloudflare to boost our security and bring our scores even higher.
As soon as you have chosen HTTPS, you should definitely avoid having your website accessed by a user through an unsecure link. In Cloudflare, you can do this by 301 diverting all HTTP to HTTPS. In Crypto Preferences, locate the Always use HTTPS checkbox and turn it on. With only 301 redirects from HTTP to HTTPS, the issue is that the initially unsecure requirement is still over the line, so it can be viewed by anyone with transport on it.
The HSTS is a reply headers that resolves this issue by notifying the web browsers that they are not allowed to make unsafe requests to a website for a certain period of inactivity. As soon as the web browsers receive this headers, they will not make an unsafe query to your site for the next 31,536,000 seconds (worth one year).
Instead, all HTTP request are updated to HTTPS internal before they are sent over the intranet. Or you can include the pre-load statement to allow browsers to back up your site to the web itself as HTTPS only. As soon as you have activated HSTS in your domains, you can be quite sure that someone who has downloaded your website via HTTPS can only still gain control of your website via the safe schema.
So, before you activate HSTS on your website, make sure that you are sure that all your data is handled via HTTPS, otherwise you will experience issues. In order to activate this in Cloudflare, go to the Crypto Preferences and browse down to the HTTP Strict Transport Security (HSTS) section. And, in case you're asking yourself, the HSTS browsing experience is quite good.
However, if you are embedding a ubiquitous source (e.g. an image) on a safe page, the web browsers will still load it well. In order to fix this, simply modify the schema to HTTPS and everything will be all right again. Cloudflare can help you with the function Automatic HTTPS Rewrites. In order to make sure that no contents on your website can ever be delivered unsecurely, you should consider the implementation of a security policy on your website.
I did the test on my own domainname again, and now we get an D+ now. There are other ways you can get your website on HTTPS for free if you don't want to use Cloudflare for some purpose. When you have complete command of your servers, Let's Encrypt lets you quickly put HTTPS on your website.
If you do not have direct connection to the web servers, please contact your webhost. A few allows you to use Let's Encrypt SSL without granting shell permission. This way, you can deploy HTTPS on your Web site and easily forget about using AWS assets like Cloudfront. No matter how you deploy HTTPS on your website, the most important thing is to get it up and running as quickly as possible so that your visitors get the safety edge it offers, and you don't miss several great functions in web browsers that help you build better web experience.