Many web browsers mark websites that don’t have an SSL certificate as “not secure”. The warning tells users that the connection between their browser and the server is unencrypted.

The connection can be secured with an SSL certificate. When your website has an SSL certificate people can visit your site via HTTPS rather than HTTP. For instance, people can visit https://example.com rather than http://example.com.

Types of SSL certificates

There are many types of SSL certificates:

  • If you have a fairly small website then a Let’s Encrypt SSL certificate is probably all you need. These certificates are free and renew automatically every 90 days (provided that your domain still resolves correctly). If you would like a Let’s Encrypt certificate for your website then it is easiest to submit a support ticket.
  • So-called business SSL certificates are valid for either one or two years. The certificate authority that issues certificates is also more stringent than Let’s Encrypt. For instance, you can’t easily get a certificate for a domain like hsbc-bank.co.uk, as the domain is likely to be used for phishing scams. Let’s Encrypt doesn’t care about the domain name – it is only concerned with enabling encrypted connections.
  • Wildcard certificates can be used for any subdomain. This is useful if you have lots of subdomains, as business certificates are only valid for your primary domain (i.e. example.com) and the ‘www’ subdomain (i.e. www.example.com). It is worth noting that all Let’s Encrypt certificates are wildcard certificates.
  • Extended validation certificates are subject to thorough checks by the certificate authority. The aim is reassure visitors of your website that your business is legitimate. For that reason web browsers used to make the address bar green when a website had an extended SSL certificate. No browser vendor is doing that anymore, but if reassurance is important to your business then it is still worth considering an extended validation certificate.

Redirecting traffic to HTTPS

Once your website has an SSL certificate you need to make sure that you redirect all traffic from HTTP to HTTPS. Content Management Systems such as WordPress have the option to set the website URL, which should take care of most of the redirects. In addition, cPanel has a Force HTTPS Redirect option in the Domains interface.

You can also add a redirect rule in the .htaccess file. The following rule strips the ‘www’ subdomain and redirects website traffic to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Alternatively, you can set up a redirect that always uses the ‘www’ subdomain and redirects to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

Mixed content warnings

After you have added a redirect there may still be elements that are served over HTTP. For instance, there may be style sheets, JavaScript files or images that downloaded via HTTP rather than HTTPS.

To give an example, you might have something like this in your website’s source code:

<script src="http://code.jquery.com/jquery-3.4.1.min.js"></script>

Here, a jQuery file is downloaded over HTTP. All other elements may be served securely, but because the jQuery file is downloaded over HTTP browsers will show a “mixed content” warning. Typically, the warning will be an icon of a broken padlock in the browser’s URL bar.

If you are not sure why a page is showing a mixed content warning you can check the page via a website such as Why No Padlock. Once you have identified the issue you can update the URLs. For instance, in the case of the above jQuery file you can simply change the URL to https://code.jquery.com/jquery-3.4.1.min.js.