Have you ever been faced this problem, saying your site has been hacked or you just don’t want to face this situation, make your site HTTPS for your site security? It is better to make your site https instead of http which is more risky. There would me time, not so far, all sites with unscure protocol will lose access by google, so before that time comes, come forward and make your site secure and worth visiting by following these things.
As many of us know that, HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. Users expect a secure and private online experience when using a website. It is encouraged by Google to adopt HTTPS in order to protect your users’ connection to your website, regardless of the content on the site. Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
Authentication—proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
Best practices when implementing HTTPS
Use robust security certificates
You must obtain a security certificate as a part of enabling HTTPS for your site. The certificate is issued by a certificate authority (CA), which takes steps to verify that your web address actually belongs to your organization, thus protecting your customers from man-in-the-middle attacks. When setting up your certificate, ensure a high level of security by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048 bits. When choosing your site certificate, keep in mind the following:
Get your certificate from a reliable CA that offers technical support.
Decide the kind of certificate you need:
Single certificate for single secure origin (e.g. www.example.com).
We recommend that HTTPS sites support HSTS. HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
HSTS adds complexity to your rollback strategy. We recommend enabling HSTS this way:
Roll out your HTTPS pages without HSTS first.
Start sending HSTS headers with a short max-age. Monitor your traffic both from users and other clients, and also dependents’ performance, such as ads.
Slowly increase the HSTS max-age.
If HSTS doesn’t affect your users and search engines negatively, you can, if you wish, ask your site to be added to the Chrome HSTS preload list.
Consider using HSTS preloading
If you enable HSTS, you can optionally support HSTS preloading for extra security. To enable this, you must set the includeSubDomains directive in the HSTS header. Subdomain matching works like this: if the site www.example.com serves an HSTS header with includeSubdomains, here are the domains it would match:
includeSubDomains = true
Avoid these common pitfalls
Throughout the process of making your site secure with TLS, avoid the following mistakes:
Make sure your certificate is always up to date.
Certificate registered to incorrect website name
Check that you have registered your certificate to the correct host name. For example, if you register the certficate for www.example.com and your website is configured to use example.com, you’ll have a certificate name mismatch error.
Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you’ll need a dedicated IP if you need to support older browsers.
Don’t block your HTTPS site from crawling using robots.txt.
Allow indexing of your pages by search engines where possible. Avoid the noindex meta tag.
Old protocol versions
Old protocol versions are vulnerable; make sure you have the latest and newest versions of TLS libraries and implement the newest protocol versions.
Mixed security elements
Only embed HTTPS content on HTTPS pages.
Different content on HTTP and HTTPS
Make sure the content on your HTTP site and your HTTPS is the same.
If you migrate your site from HTTP to HTTPS, Google treats this as a site move with a URL change. This can temporarily affect some of your traffic numbers. See the site move overview page to learn more.
Add the HTTPS property to Search Console; Search Console treats HTTP and HTTPS separately; data for these properties is not shared in Search Console. So if you have pages in both protocols, you must have a separate Search Console property for each one.
https://i0.wp.com/imrankhalid.me/wp-content/uploads/2017/06/security.jpg?fit=650%2C390390650adminhttp://imrankhalid.me/wp-content/uploads/2017/04/blog-logo.pngadmin2017-06-08 18:47:502017-06-09 20:11:36Secure your site with HTTPS