Securing HTTPS SSL
Below are all steps to take to make sure your site is served securely over HTTPS. Any suggestions, feel free to let me know.
1. Preliminary:
- Install SSL certificate to your domain either through GoDaddy, AutoSSL on CPanel, or Let's Encrypt on CPanel. Let's Encrypt is easiest to me, as it auto-renews and is free. There isn't really a reason to pay anymore for SSL. However, note that you can't have both AutoSSL and Let's Encrypt on at the same time (they will compete/conflict). If you run into errors for subdomains on Let's Encrypt, try excluding the www- checkbox. For Windows IIS, you can use CertifyTheWeb which auto-installs from Let's Encrypt.
2. Adding HSTS to servers.
- What this step does is first redirect you to the https version of your root site (non-www), send a Strict-Transport-Security (HSTS) header to tell people only to use https with your site, and then redirect you to the www version with a repeat of hsts. The www version is optional only if you prefer www in your url. The "includeSubDomains;" part of the hsts lines should be removed if you don't intend for all subdomains/variations of your domain to be https. Be especially careful because messing up this step can prevent access to your domain for a year (the max-age).
- For Apache servers: Add the following to your htaccess file (replace YOUR_SITE).
- For Windows / IIS: Add the following to web.config. You also want to check that your SSL's cipher suite settings are configured.
3. Submit to HSTS Preload
- This sounds archaic and I suspect there will be a more standard/automated way to handle this soon, but for preloading of HSTS to be effective (for browser to know your site requires HTTPS without first visiting your site to begin with), you need to submit your site to this organization: https://hstspreload.org/
Checking Your Work
- Chrome should show your site secure in the URL bar.
- Right-click the page and hit inspect, navigate on Chrome. Loading your site w/o http should result in a 301 permanent redirect to the https version the first time, then a 307 internal redirect to the https version of the site next time you visit, meaning the browser knew to redirect to the https site w/o first risking a visit to the http version. You can also click on each request to confirm and see the HSTS header itself received by the browser. Submitting to hstspreload.org skips the first hit to the http site, but it takes the organization a few months to add your site to their list (again, an archaic thing that'll probably be replaced by Google crawlers or something).
1. Preliminary:
- Install SSL certificate to your domain either through GoDaddy, AutoSSL on CPanel, or Let's Encrypt on CPanel. Let's Encrypt is easiest to me, as it auto-renews and is free. There isn't really a reason to pay anymore for SSL. However, note that you can't have both AutoSSL and Let's Encrypt on at the same time (they will compete/conflict). If you run into errors for subdomains on Let's Encrypt, try excluding the www- checkbox. For Windows IIS, you can use CertifyTheWeb which auto-installs from Let's Encrypt.
2. Adding HSTS to servers.
- What this step does is first redirect you to the https version of your root site (non-www), send a Strict-Transport-Security (HSTS) header to tell people only to use https with your site, and then redirect you to the www version with a repeat of hsts. The www version is optional only if you prefer www in your url. The "includeSubDomains;" part of the hsts lines should be removed if you don't intend for all subdomains/variations of your domain to be https. Be especially careful because messing up this step can prevent access to your domain for a year (the max-age).
- For Apache servers: Add the following to your htaccess file (replace YOUR_SITE).
Code:
Options +FollowSymLinks
RewriteEngine on
#Redirect to non-www first
RewriteBase /
RewriteCond %{HTTP_HOST} ^(YOUR_SITE\.com)$
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ "https\:\/\/YOUR_SITE\.com\/$1" [R=301,L,NC]
#HSTS for non-www
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
# Redirect to www if you prefer it
RewriteBase /
RewriteCond %{HTTP_HOST} !(www\.YOUR_SITE\.com) [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ "https\:\/\/www\.YOUR_SITE\.com\/$1" [R=301,L,NC]
#HSTS for www
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
- For Windows / IIS: Add the following to web.config. You also want to check that your SSL's cipher suite settings are configured.
Code:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
3. Submit to HSTS Preload
- This sounds archaic and I suspect there will be a more standard/automated way to handle this soon, but for preloading of HSTS to be effective (for browser to know your site requires HTTPS without first visiting your site to begin with), you need to submit your site to this organization: https://hstspreload.org/
Checking Your Work
- Chrome should show your site secure in the URL bar.
- Right-click the page and hit inspect, navigate on Chrome. Loading your site w/o http should result in a 301 permanent redirect to the https version the first time, then a 307 internal redirect to the https version of the site next time you visit, meaning the browser knew to redirect to the https site w/o first risking a visit to the http version. You can also click on each request to confirm and see the HSTS header itself received by the browser. Submitting to hstspreload.org skips the first hit to the http site, but it takes the organization a few months to add your site to their list (again, an archaic thing that'll probably be replaced by Google crawlers or something).
Last Updated Sep 6th, 2018 | 642 unique view(s)
I noticed that autossl isn't in SSL/TLS within shared linux hosting in godaddy. Do you have any workarounds for installing cpanel shared linux hosting? I know it can easily be done in WHM in the GUI, but CPanel looks like it requires SSHing and installing autossl.
It's installed on my version of CPanel, so it is probably something the host has to set up if you're on shared service.