Being secure online is important for everyone. Your website can enable a feature called HTTPS which encrypts your data making it secure. But HTTPS is not enabled by default. Read on for details of what is involved and what you need.

HTTPS is a secure communication protocol

In the world of computer science HTTPS is a secure communication protocol for a computer network. This means when you visit a website where HTTPS is enabled, all communication to and from it is encrypted.

You can tell if a website has HTTPS enabled as the browser will show a padlock icon in the address bar.

HTTPS icon in Chrome browser
HTTPS icon in Firefox browser
HTTPS icon in Edge browser
HTTPS icon in Opera browser

And anything you do on those pages is also encrypted. Enter your credit card details? Encrypted. Login with your email address and password? Encrypted. Search for a product you want to buy? Encrypted.

Historically this is what HTTPS was intended for; encrypt sensitive information like passwords and credit card numbers.

More recently HTTPS is being viewed as beneficial in its own right. Google in particular are on a mission to force the use of HTTPS. Their aim is to eventually display a Not Secure tag for all HTTP websites.

You mentioned HTTPS has to be enabled

Yes. And not just enabled, but paid for too. This is the part that Google doesn't tell you.

HTTPS works by using security certificates often referred to as SSL certificates. These certificates are issued by the imaginatively named Certificate Authorities.

The Certificate Authorities charge for each certificate and like a domain, it has to be renewed every year. The price of an SSL certificate can vary wildly, but expect to pay anywhere up to £100.

In theory you can shop around. But in practice which authority you use is controlled by the web host. More often than not they only allow you to use their chosen provider.

Are there any issues enabling HTTPS?

There are few problems when enabling HTTPS; however an issue can occur called “mixed content”. Mixed content does not stop the website from working, but the browser can show a small error next to the padlock.

Mixed content occurs when a link uses an absolute URL that includes http:// in that URL. The fix is thankfully simple. Replace the absolute URLs with relative URLs that omit http://.

The only problem with this is that sometimes finding all the offending links can be difficult. This is because they can be buried within other files including CSS and JavaScript.

The best way to find them all is use browser developer tools and load the website with the network tab open. Here you can check each individual request.

Plus a catch with subdomains

An SSL certificate is for an individual domain only. For example But if we had a subdomain such as we would need to purchase two certificates.

Confusingly most SSL certificates are valid for and even though www. is a subdomain. However it is worth double-checking with the web host as this may not be the case.

Yet more SSL certifcates

To make matters more complex there are also different types of SSL certificate. You can get so called Extended, Wildcard and Multi-domain certificates.

These versions do not provide anything different in terms of encryption compared to a standard SSL certificate. So why do they exist? The main reason is for some very specific use cases. Wildcard certificates are for websites that have several subdomains.

The cost of these SSL certificates also increases rapidly. Often three, five or ten times the cost of the standard SSL certificate.

For most businesses with a single company website the standard SSL certificate is enough.

Like what we do? Well, what are you waiting for...