Websites should automatically load over HTTPS and use good SSL configuration.
Good configuration means:
Why implement HTTPS
HTTPS can be implement HTTPS by getting an SSL certificate from a certificate authority (CA). An SSL certificate can be purchased or received for free.
Mitigate-5 requires HTTPS for the following four (4) core reasons:
There can be several options for implementing HTTPS on a corporate website, depending on how the website is hosted. Unsure website owners should consult their internal technical team or hosting provider.
Many web hosting companies have their own way to implement HTTPS on websites they host. They usually provide a helpful guide in their support are
Before buying an SSL Certificate
After buying an SSL Certificate
- Check for old protocol versions that are known to be vulnerable and disable them. E.g. SSLv3, TLSv1.0 – 1.1. Upgrade your TLS libraries as time progresses, and stronger versions are released.
- Check for SSL errors. WhyNoPadLock.com (https://www.whynopadlock.com) can be used to automate this check.
- Set the HSTS (HTTP Strict Transport Security) Response Header.
- Setup server-side redirects (Status 301) from HTTP to HTTPS (e.g. using apache.conf, .htaccess, other redirect options from hosting provider)
- Setup an auto-renew process – If an auto-renew process is not set up then there is the risk that an SSL certificate will expire a year later and then browsers will show users a warning telling them your site is unsafe (because your certificate is now invalid).
- Certificate mismatch – Use a certificate which covers the domain and sub-domains your website uses, or browsers will show users a warning telling them the website is unsafe (because the certificate doesn’t match the domain it’s assigned).