Livin’ La Vida Https

I had SSL enabled on my site for a while now. My hosting provider had it available as an option and I hated having my password travel unencrypted. However, as Google pushed for https, I started playing with the idea to use https exclusively. As you can (hopefully) see, migration was successful.

First order of business was to sort out redirects. I wanted regular http domain 301-redirected to the https one. As my server was using Apache, following directives were added to .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

In order to be compliant with HTTP Strict Transport Security, I also added new header just above conditions in the same file:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

My Suffusion WordPress theme kept using http to fetch ads and that caused browsers to omit them all together (you cannot load http scripts on https site). Therefore I also had to make a slight modification to it. In file ./suffusion/functions/shortcodes.php I had to change suffusion_sc_ad function to use https by removing protocol name from the URL:

function suffusion_sc_ad($attr) {
$params = array('client', 'slot', 'width', 'height');
$provider = 'google';
$provider_type = 'syndication';
$service = 'ad';
$service_type = 'page';
$ret = "<div id='".$service."sense'>\n<script type='text/javascript'><!--\n";
foreach ($params as $var) {
$ret .= "\t".$provider."_".$service."_$var = '".$attr&#91;$var&#93;."';\n";
}
$ret .= "//-->\n</script>\n";
$service_url = "http://".$service_type.$service."2.$provider$provider_type.com/$service_type$service/show_{$service}s.js";
$ret .= "<script type='text/javascript' src='$service_url'></script>\n";
$ret .= "</div>\n";
return $ret;
}

Result of these three changes is that my site is now https-only without any functionality loss.

PS: Those checking the certificate will notice that I use CloudFlare and their Universal SSL. Do notice that using such service is actually one big man-in-the-middle attack since CloudFlare decrypts all traffic before encrypting it again when it contacts your site. It is not because they are evil but because they cannot provide you with their CDN services (and more) any other way. For any website traffic, I see no problem with such approach. However, for administration tasks, I would recommend having a separate https subdomain that leads directly to your server.

Leave a Reply

Your email address will not be published. Required fields are marked *