Implementing HTTPS (traditional approach)

Before following this guide, please read through our general guide to implementing HTTPS as it covers the basics and some important tips. Please observe this method is only recommended if you are not proxying the traffic through any service where this can be configured, Let’s Encrypt does not suit your needs, and you are fully aware of what you are doing.

Determine what you need

 

First you need to decide what kind of certificate you will need as it varies a lot in price. Is a certificate for a single domain enough, or are multiple necessary? Are dynamic subdomains used so a wildcard certificate is required instead?

Generate a CSR and install your certificate


Once you’ve mapped out your needs, it is time to look for the right CA (Certificate Authority) to buy the certificate from. It is extremely important to go with a well-known and big player, as smaller ones might not be trusted by some browsers. You will then need to generate a CSR, a certificate signing request. To find out how to do this, check out Namecheap’s helpful article on generating CSR.

The next step is submitting the newly generated CSR to the Certificate Authority. This is usually done by uploading the CSR to a Certificate Authority’s website and then receiving a certificate from them, usually in an email or by logging into the Certificate Authority’s web service to download it. The certificate can now be installed - read this article to learn how to install SSL certificates.

 

 

HSTS

 

The only thing that is required for HSTS to work is to set the following header:

Strict-Transport-Security: max-age=604800;


Max-age is the time (in seconds) the record should be valid and can be changed to your liking. To minimize potential damage, it is recommended to start out with a rather short max-age.

There is also a additional parameter called includeSubdomains. Using it will apply the record to subdomains as well and the header will look like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Forced HTTPS

 

Forced HTTPS can be implemented in many different ways depending on the system, but the goal is to redirect all HTTP requests to the corresponding HTTPS page. This can be done in .htaccess-files, in the web server's configuration direct, etc.

Below are the two recommended ways to do it if you are using the most common web servers:

Apache: https://httpd.apache.org/docs/current/rewrite/avoid.html#redirect

NGINX: http://serverfault.com/a/337893

Googling  “[web server used] redirect http https” should give a guide even for the more obscure solutions.