Before following this guide, please read through our general guide to implementing HTTPS as it covers the basics and some important tips. 

If you use Cloudflare as a provider, you can set up HTTPS using their Free Universal Cert. This allows the end user to enjoy an HTTPS connection without requiring any server side configuration. The image below shows the downside of this setup; traffic is only encrypted between the visitor and Cloudflare, but not between the origin server and Cloudflare. However, this is considered an accepted risk for now due to the simplicity of using this solution.

If there are sufficient time and resources to more properly configure Cloudflare they have guides available to configure what they call Full SSL, where the traffic is encrypted all through.


Cloudflare

 

Configuration

 

To configure this, start by logging in to the dashboard. Choose the domain and navigate to the overview. Select the tab Crypto and switch to Flexible under SSL.

Force HTTPS

 

Cloudflare offers a built-in feature to support Force HTTPS. When configuring page rules, there is a function called Enforce HTTPS for this URL.

To activate Force HTTP go to the upper blue menu again and select Page Rules this time, followed by Create Page Rule. Enter http://*example.com/* as pattern to catch every request made over HTTP and select Always use HTTPS as the setting.

HSTS

 

Now go back to the Crypto tab in the blue menu and look for the box called HTTP Strict Transport Security and enable it. By changing the settings, this can be configured in more detail to suit your needs.