Requirement
Website owners must commit to continuously trying to improve security on their website. By applying for a Mitigate-5 Certification, website owners by default agree to this requirement.
Note to applicants: Mitigate-5 Certifications expire at the end of each calendar year. Renewal is automatic and does not require a new application. Re-verification checks are done between November and December of each year
Note to applicants: If any aspect of this requirement is unclear, please contact us.
Why implement HTTPS
Security is a process, not an event, and the responsible action is to continuously try to apply security controls in line with good industry practices and standards.
Mitigate-5 requires a commitment to continuous improvement for the following core reasons:
- It supports the inherent nature of security, which requires security controls to evolve along-side attacks and emerging technology.
- Document how the process will work and assign someone in the business who will be responsible for applying and maintaining the process
Before a continuous improvement process
- Understand the different types of coverage (i.e. single domain, multi-domain, Wildcard)
- Change hard-coded URLs to relative URLs to prevent browsers highlighting mixed content warnings to users after HTTPS is active.
- Check for crawling and indexing issues. Remove entries from the robots.txt file that block crawlers from the HTTPS version of the site. Avoid the noindex meta tag in the source code of web pages.
After buying an SSL Certificate
- Periodically monitor and assess the performance of the improvement process to identify and fix inefficiencies.
- Certificate mismatch – Use a certificate that covers all the domain and sub-domains your website uses, or browsers will show users a warning telling them the website is unsafe (because the certificate doesn’t match the domain it’s assigned).
